복붙노트

[SPRING] 스프링 보안 로그 아웃 세션이 무효화되지 않았습니다.

SPRING

스프링 보안 로그 아웃 세션이 무효화되지 않았습니다.

StackOverflow 나 다른 곳에서 찾을 수있는 거의 모든 것을 시도해 보았습니다. 여전히 작동하지 않습니다. 나는 Spring Framework 4.1.6을 사용하고있다. Spring Security 4.0.0.RELEASE. 네임 스페이스 로그 아웃 태그를 구성 했으므로 세션을 무효화 할 수있는 유일한 방법은 HttpSession.invalidate () 호출로 프로그래밍 방식으로 컨트롤러에서 수행하는 것입니다.

로그 아웃을 요청할 때 해당 페이지로 리디렉션되지만 세션은 무효화되지 않으며 JSESSIONID는 삭제되지 않습니다. 그리고 이것은 캐시 효과가 아닙니다. 모든 훌륭한 캐시 제안을 시도하고 @PreAuthorize 주석을 사용하고 있으며 사용자가 호출하도록 인증되어야하며 로그 아웃해도 호출 할 수 있습니다. 세션을 무효화하는 유일한 방법은 잘못된 아이디 / 비밀번호를 로그인 패널에 입력하는 것입니다. 여기서 리디렉션되고 인증이 거부됩니다. 이 시점에서 세션이 파괴됩니다.

나는 아이디어와 힌트가 부족하다.

다음은 security-applicationContext.xml입니다.

<?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns:b="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="http://www.springframework.org/schema/security"
    xmlns:oauth="http://www.springframework.org/schema/security/oauth"
    xsi:schemaLocation="http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-4.0.xsd
    http://www.springframework.org/schema/security/oauth
    http://www.springframework.org/schema/security/spring-security-oauth.xsd
    http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-4.1.xsd">

<!-- -->
<b:bean id="securityExpressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler" >
    <b:property name="defaultRolePrefix" value="ROLE_" />
</b:bean>
<b:bean id="preInvocationAdvice" class="org.springframework.security.access.expression.method.ExpressionBasedPreInvocationAdvice" >
    <b:property name="expressionHandler" ref="securityExpressionHandler" />
</b:bean>
<b:bean id="postInvocationAdvice" class="org.springframework.security.access.expression.method.ExpressionBasedPostInvocationAdvice" >
    <b:constructor-arg ref="securityExpressionHandler" />
</b:bean>
<b:bean id="myRoleVoter" class="org.springframework.security.access.vote.RoleVoter">
    <b:property name="rolePrefix" value="ROLE_" />
</b:bean>
<!-- -->

<!-- Configuration de l'accès et du formulaire -->
<!-- Permettre l'accès libre aux feuilles de style, polices et images -->
<http pattern='/resources/css/**' security="none" />
<http pattern='/resources/fonts/**' security="none" />
<http pattern='/resources/images/**' security="none" />
<http pattern='/resources/js/**' security="none" />

<http use-expressions="true" disable-url-rewriting="true">

    <!-- Limitation à une seule session utilisateur concurrente -->
    <session-management invalid-session-url="/identite?session_invalide=1"
        session-authentication-error-url="/identite?identite_err=1">
        <concurrency-control max-sessions="1"
            expired-url="/identite?expiree=1" />
    </session-management>

    <!-- Définitions pour le formulaire de la page JSP d'identification -->
    <form-login login-page="/identite" login-processing-url="/identite.proc" default-target-url="/" always-use-default-target="true" authentication-failure-url="/identite?identite_err=1" username-parameter="username" password-parameter="password" />
    <csrf disabled="false" />

    <logout logout-url="/deconnexion"
        logout-success-url="/identite?termine=1"
        delete-cookies="JSESSIONID" invalidate-session="true"
         />

    <!-- Utiliser un canal chiffré pour les échanges -->
    <intercept-url requires-channel="https" pattern="/identite*" access="permitAll()" />
    <intercept-url requires-channel="https" pattern="/deconnexion*" access="permitAll()" />
    <intercept-url requires-channel="https" pattern="/logout*" access="permitAll()" />
    <intercept-url requires-channel="https" pattern="/action*" access="hasRole('ROLE_ADMIN') or hasRole('ROLE_SUPPORT')" />
    <intercept-url requires-channel="https" pattern="/causes*" access="hasRole('ROLE_ADMIN')" />
    <intercept-url requires-channel="https" pattern="/telechargement*" access="hasRole('ROLE_USER') or hasRole('ROLE_ADMIN')" />
    <intercept-url requires-channel="https" pattern="/**" access="isAuthenticated()" />
    <access-denied-handler error-page="/erreur403" />
</http>

<!-- Fournisseurs d'identité pour le formulaire -->
<authentication-manager erase-credentials="true">
    <authentication-provider ref="monFournisseurAD" />
</authentication-manager>
<b:bean id="grantedAuthoritiesMapper" class="com.company.gisti.securite.ad.ActiveDirectoryGrantedAuthoritiesMapper">
    <b:description>Cette fève (bean) met en place la correspondance entre les groupes AD/LDAP et les rôles au niveau applicatif.</b:description>
    <b:property name="groupesAdministrateur">
        <b:description>Ensemble de noms de groupes dans AD/LDAP indiquant que l'usager a un rôle d'administrateur pour cette application.</b:description>
        <b:set value-type="java.lang.String">
            <b:value>SecRole-Support-DDMI</b:value>
        </b:set>
    </b:property>
    <b:property name="groupesSupport">
        <b:description>Ensemble de noms de groupes dans AD/LDAP indiquant que l'usager a un rôle d'usager de support pour cette application.</b:description>
        <b:set value-type="java.lang.String">
            <b:value>SecRole-Support-HpSM</b:value>
            <b:value>SecRole-AdminSystemeHPUCMDB</b:value>
        </b:set>
    </b:property>
    <b:property name="groupesUsager">
        <b:description>Ensemble de noms de groupes dans AD/LDAP indiquant que l'usager a un rôle d'utilisateur simple pour cette application. </b:description>
        <b:set value-type="java.lang.String">
            <b:value>SecRole-Utilisateurs-HPAM</b:value>
        </b:set>
    </b:property>
</b:bean>

<!-- Identification par Active Directory -->
<b:bean id="monFournisseurAD" class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
    <b:constructor-arg value="campus.company.com" />                <!-- userPrincipalName de la forme username@campus... -->
    <b:constructor-arg value="ldap://fsapps.company.uni:389/" />    <!-- Comment rejoindre le serveur -->
    <b:constructor-arg value="dc=fsapps,dc=company,dc=uni" />   <!-- baseObject -->
    <b:property name="searchFilter" value="(&amp;(userPrincipalName={0})(objectClass=user))" />
    <b:property name="userDetailsContextMapper">
        <b:bean class="org.springframework.security.ldap.userdetails.InetOrgPersonContextMapper" />
    </b:property>
    <b:property name="authoritiesMapper" ref="grantedAuthoritiesMapper" />
    <b:property name="convertSubErrorCodesToExceptions" value="true" />
</b:bean>

<b:bean id="securityContextPersistenceFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter" />
<b:bean id="myDeconnexionHandler" class="com.company.gisti.web.app.DeconnexionHandler" />

</b:beans>

그리고 여기에 내 mvc-applicationContext.xml이 있습니다.

<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
    http://www.springframework.org/schema/beans     
    http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
    http://www.springframework.org/schema/mvc 
    http://www.springframework.org/schema/mvc/spring-mvc-4.1.xsd
    http://www.springframework.org/schema/context 
    http://www.springframework.org/schema/context/spring-context-4.1.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-4.0.xsd">

<security:global-method-security pre-post-annotations="enabled" secured-annotations="enabled" />
<context:annotation-config />
<mvc:resources mapping="/resources/**" location="/resources/theme_desjardins/" />
<mvc:annotation-driven /><mvc:interceptors>
<mvc:interceptor>
    <mvc:mapping path="/**" />
    <bean class="org.springframework.web.servlet.mvc.WebContentInterceptor">
        <property name="cacheSeconds" value="0"></property>
        <property name="useExpiresHeader" value="true"></property>
        <property name="useCacheControlHeader" value="true"></property>
        <property name="useCacheControlNoStore" value="true"></property></bean>
</mvc:interceptor></mvc:interceptors>

<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
    <property name="prefix" value="/WEB-INF/pages/" />
    <property name="suffix" value=".jsp" />
</bean>

<context:component-scan base-package="com.company.gisti.web.app" />

</beans>

내 보안 xml 파일에는 정의 된 로그 아웃 성공 처리기가 있습니다.이 구성에서는 사용하지 않지만 하나는 시도했지만 결코 호출되지 않았습니다. 아마 logoutHandler를 구현할 수도 있지만,이 시점에서 서블릿 컨트롤러에서하고있는 것처럼 세션을 무효화하는 것은 거의 같습니다.

업데이트 2015-04-23 11:06:00 EDT

내 문제는 로그 아웃 URL이 POST 대신 GET 메소드를 통한 액세스 였기 때문에 CSRF 보호가 활성화되어 있어야했기 때문입니다. 그 부분을 수정하고 세션이 이제 올바르게 무효화되었습니다. 여전히 작동하지 않는 유일한 방법은 로그인 페이지로 리디렉션하는 것입니다. BTW, 내 로그 아웃 URL은 / deconnexion이고 로그인 URL은 / identite입니다. 따라서 세션은 실제로 무효화되고 동일한 페이지에 보관되지만 백그라운드 프로세스는 더 이상 서버에 액세스하기 위해 인증되지 않으므로 더 이상 권한이 부여되지 않습니다. AccessDeniedException으로 인해 페이지를 새로 고치려면 승인되지 않은 URL을 클릭해야합니다. 다음 로그에서 이러한 URL을 클릭 한 결과를 전체적으로 제공하지는 않으며 URL은 / 로그의 / 원인입니다. 예외가 발생하면 로그인 페이지로 리디렉션됩니다. 로그의 처음 두 행은 로그인 및 페이지 로딩이 성공적으로 완료되었음을 나타냅니다. 그런 다음 로그 아웃이 시작됩니다.

2015-04-23 11:01:40,040 DEBUG (o.s.w.s.FrameworkServlet.processRequest) [http-8443-1] Successfully completed request MDC{}
2015-04-23 11:01:40,040 DEBUG (o.s.s.w.a.ExceptionTranslationFilter.doFilter) [http-8443-1] Chain processed normally MDC{}
2015-04-23 11:01:40,040 DEBUG (o.s.s.w.c.SecurityContextPersistenceFilter.doFilter) [http-8443-1] SecurityContextHolder now cleared, as request processing completed MDC{}
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/deconnexion'; against '/resources/css/**' MDC{}
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/deconnexion'; against '/resources/fonts/**' MDC{}
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/deconnexion'; against '/resources/images/**' MDC{}
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/deconnexion'; against '/resources/js/**' MDC{}
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /deconnexion at position 1 of 13 in additional filter chain; firing Filter: 'ChannelProcessingFilter' MDC{}
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/deconnexion'; against '/identite*' MDC{}
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/deconnexion'; against '/deconnexion*' MDC{}
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.a.c.ChannelProcessingFilter.doFilter) [http-8443-2] Request: FilterInvocation: URL: /deconnexion; ConfigAttributes: [REQUIRES_SECURE_CHANNEL] MDC{}
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /deconnexion at position 2 of 13 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' MDC{}
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.c.HttpSessionSecurityContextRepository.readSecurityContextFromSession) [http-8443-2] Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@49e898d4: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@49e898d4: Principal: org.springframework.security.ldap.userdetails.InetOrgPerson@644dcdae: Dn: CN=MYUSERNAME,OU=Utilisateurs,DC=fsapps,DC=company,DC=uni; Username: myusername; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: SecRole-Support-DDMI, SecRole-Utilisateurs-HPAM; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffe3f86: RemoteIpAddress: 127.0.0.1; SessionId: 783C021534873EBDFCCD914F8B7F1C8C; Granted Authorities: ROLE_ADMIN, ROLE_USER, ROLE_SUPPORT' MDC{}
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /deconnexion at position 3 of 13 in additional filter chain; firing Filter: 'ConcurrentSessionFilter' MDC{}
2015-04-23 11:01:43,020 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /deconnexion at position 4 of 13 in additional filter chain; firing Filter: 'HeaderWriterFilter' MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /deconnexion at position 5 of 13 in additional filter chain; firing Filter: 'CsrfFilter' MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /deconnexion at position 6 of 13 in additional filter chain; firing Filter: 'LogoutFilter' MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/deconnexion'; against '/deconnexion' MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.a.l.LogoutFilter.doFilter) [http-8443-2] Logging out user 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@49e898d4: Principal: org.springframework.security.ldap.userdetails.InetOrgPerson@644dcdae: Dn: CN=MYUSERNAME,OU=Utilisateurs,DC=fsapps,DC=company,DC=uni; Username: myusername; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: SecRole-Support-DDMI, SecRole-Utilisateurs-HPAM; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffe3f86: RemoteIpAddress: 127.0.0.1; SessionId: 783C021534873EBDFCCD914F8B7F1C8C; Granted Authorities: ROLE_ADMIN, ROLE_USER, ROLE_SUPPORT' and transferring to logout destination MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.a.l.SecurityContextLogoutHandler.logout) [http-8443-2] Invalidating session: 444589E454C7CDF3C9DBFC62E8CA0541 MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.s.HttpSessionEventPublisher.sessionDestroyed) [http-8443-2] Publishing event: org.springframework.security.web.session.HttpSessionDestroyedEvent[source=org.apache.catalina.session.StandardSessionFacade@565f0e7d] MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.c.s.SessionRegistryImpl.removeSessionInformation) [http-8443-2] Removing session 444589E454C7CDF3C9DBFC62E8CA0541 from principal's set of registered sessions MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.c.s.SessionRegistryImpl.removeSessionInformation) [http-8443-2] Removing principal org.springframework.security.ldap.userdetails.InetOrgPerson@644dcdae: Dn: CN=MYUSERNAME,OU=Utilisateurs,DC=fsapps,DC=company,DC=uni; Username: myusername; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: SecRole-Support-DDMI, SecRole-Utilisateurs-HPAM from registry MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.a.AbstractAuthenticationTargetUrlRequestHandler.determineTargetUrl) [http-8443-2] Using default Url: /identite MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.DefaultRedirectStrategy.sendRedirect) [http-8443-2] Redirecting to '/CaissesDispo/identite' MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.c.HttpSessionSecurityContextRepository$SaveToSessionResponseWrapper.saveContext) [http-8443-2] SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.c.SecurityContextPersistenceFilter.doFilter) [http-8443-2] SecurityContextHolder now cleared, as request processing completed MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/identite'; against '/resources/css/**' MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/identite'; against '/resources/fonts/**' MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/identite'; against '/resources/images/**' MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/identite'; against '/resources/js/**' MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 1 of 13 in additional filter chain; firing Filter: 'ChannelProcessingFilter' MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/identite'; against '/identite*' MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.a.c.ChannelProcessingFilter.doFilter) [http-8443-2] Request: FilterInvocation: URL: /identite; ConfigAttributes: [REQUIRES_SECURE_CHANNEL] MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 2 of 13 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.c.HttpSessionSecurityContextRepository.readSecurityContextFromSession) [http-8443-2] No HttpSession currently exists MDC{}
2015-04-23 11:01:43,035 DEBUG (o.s.s.w.c.HttpSessionSecurityContextRepository.loadContext) [http-8443-2] No SecurityContext was available from the HttpSession: null. A new one will be created. MDC{}
2015-04-23 11:01:43,051 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 3 of 13 in additional filter chain; firing Filter: 'ConcurrentSessionFilter' MDC{}
2015-04-23 11:01:43,051 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 4 of 13 in additional filter chain; firing Filter: 'HeaderWriterFilter' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 5 of 13 in additional filter chain; firing Filter: 'CsrfFilter' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 6 of 13 in additional filter chain; firing Filter: 'LogoutFilter' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Request 'GET /identite' doesn't match 'POST /deconnexion MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 7 of 13 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Request 'GET /identite' doesn't match 'POST /identite.proc MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 8 of 13 in additional filter chain; firing Filter: 'RequestCacheAwareFilter' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 9 of 13 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 10 of 13 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.a.AnonymousAuthenticationFilter.doFilter) [http-8443-2] Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 11 of 13 in additional filter chain; firing Filter: 'SessionManagementFilter' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 12 of 13 in additional filter chain; firing Filter: 'ExceptionTranslationFilter' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite at position 13 of 13 in additional filter chain; firing Filter: 'FilterSecurityInterceptor' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/identite'; against '/identite*' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.a.i.AbstractSecurityInterceptor.beforeInvocation) [http-8443-2] Secure object: FilterInvocation: URL: /identite; Attributes: [permitAll()] MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.a.i.AbstractSecurityInterceptor.authenticateIfRequired) [http-8443-2] Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.a.v.AffirmativeBased.decide) [http-8443-2] Voter: org.springframework.security.web.access.expression.WebExpressionVoter@514ade37, returned: 1 MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.a.i.AbstractSecurityInterceptor.beforeInvocation) [http-8443-2] Authorization successful MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.a.i.AbstractSecurityInterceptor.beforeInvocation) [http-8443-2] RunAsManager did not change Authentication object MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.FilterChainProxy$VirtualFilterChain.doFilter) [http-8443-2] /identite reached end of additional filter chain; proceeding with original chain MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.w.s.DispatcherServlet.doService) [http-8443-2] DispatcherServlet with name 'mvc-dispatcher' processing GET request for [/CaissesDispo/identite] MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.w.s.h.AbstractHandlerMethodMapping.getHandlerInternal) [http-8443-2] Looking up handler method for path /identite MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.w.s.h.AbstractHandlerMethodMapping.getHandlerInternal) [http-8443-2] Returning handler method [public java.lang.String com.company.gisti.web.app.ControleurIdentite.handleIdentiteJsp()] MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.b.f.s.AbstractBeanFactory.doGetBean) [http-8443-2] Returning cached instance of singleton bean 'controleurIdentite' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.w.s.DispatcherServlet.doDispatch) [http-8443-2] Last-Modified value for [/CaissesDispo/identite] is: -1 MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.w.s.m.WebContentInterceptor.preHandle) [http-8443-2] Looking up cache seconds for [/identite] MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.w.s.m.WebContentInterceptor.preHandle) [http-8443-2] Applying default cache seconds to [/identite] MDC{}
2015-04-23 11:01:43,052 INFO (c.d.g.w.c.ControleurIdentite.handleIdentiteJsp) [http-8443-2] ************************* >>>>>>> Redirige vers identite <<<<<<<<<<<<< *************** MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.w.s.DispatcherServlet.render) [http-8443-2] Rendering view [org.springframework.web.servlet.view.JstlView: name 'identite'; URL [/WEB-INF/pages/identite.jsp]] in DispatcherServlet with name 'mvc-dispatcher' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.b.f.s.AbstractBeanFactory.doGetBean) [http-8443-2] Returning cached instance of singleton bean 'requestDataValueProcessor' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.w.s.v.InternalResourceView.renderMergedOutputModel) [http-8443-2] Forwarding to resource [/WEB-INF/pages/identite.jsp] in InternalResourceView 'identite' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.s.w.s.HttpSessionEventPublisher.sessionCreated) [http-8443-2] Publishing event: org.springframework.security.web.session.HttpSessionCreatedEvent[source=org.apache.catalina.session.StandardSessionFacade@27573872] MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.b.f.s.AbstractBeanFactory.doGetBean) [http-8443-2] Returning cached instance of singleton bean 'org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler#0' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.b.f.s.AbstractBeanFactory.doGetBean) [http-8443-2] Returning cached instance of singleton bean 'securityExpressionHandler' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.b.f.s.AbstractBeanFactory.doGetBean) [http-8443-2] Returning cached instance of singleton bean 'org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler#0' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.b.f.s.AbstractBeanFactory.doGetBean) [http-8443-2] Returning cached instance of singleton bean 'org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler#0' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.b.f.s.AbstractBeanFactory.doGetBean) [http-8443-2] Returning cached instance of singleton bean 'securityExpressionHandler' MDC{}
2015-04-23 11:01:43,052 DEBUG (o.s.b.f.s.AbstractBeanFactory.doGetBean) [http-8443-2] Returning cached instance of singleton bean 'org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler#0' MDC{}
2015-04-23 11:01:43,083 DEBUG (o.s.s.w.c.HttpSessionSecurityContextRepository$SaveToSessionResponseWrapper.saveContext) [http-8443-2] SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. MDC{}
2015-04-23 11:01:43,083 DEBUG (o.s.w.s.FrameworkServlet.processRequest) [http-8443-2] Successfully completed request MDC{}
2015-04-23 11:01:43,083 DEBUG (o.s.s.w.a.ExceptionTranslationFilter.doFilter) [http-8443-2] Chain processed normally MDC{}
2015-04-23 11:01:43,083 DEBUG (o.s.s.w.c.SecurityContextPersistenceFilter.doFilter) [http-8443-2] SecurityContextHolder now cleared, as request processing completed MDC{}
2015-04-23 11:01:45,907 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/causes'; against '/resources/css/**' MDC{}
2015-04-23 11:01:45,907 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/causes'; against '/resources/fonts/**' MDC{}
2015-04-23 11:01:45,907 DEBUG (o.s.s.w.u.m.AntPathRequestMatcher.matches) [http-8443-2] Checking match of request : '/causes'; against '/resources/images/**' MDC{}

업데이트 2015-04-23 14:37:00 SOLVED

내 문제가 해결되었습니다. 아약스를 통해 로그 아웃하기 위해 POST를 보낸 이후로, 내 성공 로그 아웃 핸들러에서 브라우저를 가리 키기로되어있는 URL을 받았습니다. window.location.href = new_url을 사용하여 자바 스크립트에서이 위치로 브라우저를 수동으로 지정해야합니다.

해결법

  1. ==============================

    1.응답하므로 질문을 종료 할 수 있습니다.

    응답하므로 질문을 종료 할 수 있습니다.

    스프링 시큐리티의 CSRF 보호 기능을 사용하고 있다면 POST를 통해 로그 아웃해야합니다 (비록 이것이 가능할 지 모르지만).

    자바 스크립트가 아닌 AJAX를 사용하여 로그 아웃 POST를 할 수 있습니까? 처럼:

    <!-- anywhere in your document: -->
<form:form action="deconnexion" id="logoutForm">
  <!-- csrf hidden input included automagically -->
</form:form>

<!-- in your menu: -->
<a href="#" onclick="document.forms.namedItem('logoutForm').submit()">Log out</a>
  2. ==============================

    2.업데이트 2015-04-23 14:37:00 SOLVED

    업데이트 2015-04-23 14:37:00 SOLVED

    내 문제가 해결되었습니다. 아약스를 통해 로그 아웃하기 위해 POST를 보낸 이후로, 내 성공 로그 아웃 핸들러에서 브라우저를 가리 키기로되어있는 URL을 받았습니다. window.location.href = new_url을 사용하여 자바 스크립트에서이 위치로 브라우저를 수동으로 지정해야합니다.

    업데이트 2015-04-23 15:55:00 후속 조치

    참고 : 하나의 글에서 한도에 도달했기 때문에 이것을 분리 된 답안에 넣어야합니다.

    다음은 로그 아웃을 요청하는 아약스를 통해 게시 할 자바 스크립트 코드의 스 니펫입니다.

        $('#deconnexion').click(function(event) {
        // Envoyer la requête
        var csrfToken = $("meta[name='_csrf']").attr("content");
        var csrfHeader = $("meta[name='_csrf_header']").attr("content");
        var csrf_header = { };
        csrf_header[csrfHeader] = csrfToken;
        $.ajax({
            headers: csrf_header,
            url: 'deconnexion',
            processData: false,
            type: "POST",
            contentType: "text/xml",
            dataType: "text",
            success: function(data, textStatus, xhr) {
            /* */
                console.log("Etat rapporté: " + xhr.status);
                console.log("Données: " + data);
                console.log("Etat description: " + textStatus);
                console.log("reponseText: " + xhr.responseText);
                console.log("URL redirection: " + xhr.getResponseHeader("Location"));
            /*  */
                //window.location.href = xhr.getResponseHeader("Location");
            },
            error: function(xhr, textStatus, thrownError) {
            /*
                console.log("Etat rapporté: " + xhr.status);
                console.log("Erreur description: " + thrownError);
                console.log("Etat description: " + textStatus);
                console.log("reponseText: " + xhr.responseText);
                */
                window.location.href = xhr.getResponseHeader("Location");
            }
        });
    });

    아직 오류 조건을 테스트하지 않았습니다. 스크립트에서 window.location.href는 테스트에 대해 주석 처리됩니다.

    스크린 샷은 다음과 같습니다.

    브라우저와 AJAX가 그 일을 할 수 있도록 할 수있는 일이 있다면, 나는 이것을 어떻게 할 수 있는지 알고 싶다.

    3. from https://stackoverflow.com/questions/29811266/spring-security-logout-session-is-not-invalidated by cc-by-sa and MIT license

'SPRING' 카테고리의 다른 글

[SPRING] javascript에서 색인을 사용하여 스프링 모델 속성 목록 요소 가져 오기  (0) 2019.05.21
[SPRING] 어떻게 주석 @ 자바 스프링에서 작동합니까? [복제]  (0) 2019.05.21
[SPRING] Spring bean 파일에서 maven profile id 값을 사용하려면 어떻게해야합니까?  (0) 2019.05.21
[SPRING] Spring Boot REST · 삭제를위한 @ Constraint?  (0) 2019.05.21
[SPRING] Spring Boot Cloud Foundry 오류에서 고유 서비스 기계 인터페이스 오류 없음  (0) 2019.05.21
,

티스토리툴바