[SPRING] 스프링 보안 j_spring_security 로그 아웃 문제

스프링 보안 j_spring_security 로그 아웃 문제

나는 봄 보안 작업을하고있다. 하지만 j_spring_security_check 서블릿이 작동하지 않는 것 같습니다. 어떻게 문제를 디버깅합니까, 아니면 근본 원인을 찾으십니까? 나는 유용한 로그 파일을 보지 않는다 ...

<?xml version="1.0" encoding="UTF-8"?>

 <!--
  - Sample namespace-based configuration
  -
  -->

<beans:beans xmlns="http://www.springframework.org/schema/security"
 xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

 <global-method-security pre-post-annotations="enabled">
  <!--
   AspectJ pointcut expression that locates our "post" method and
   applies security that way <protect-pointcut expression="execution(*
   bigbank.*Service.post*(..))" access="ROLE_TELLER"/>
  -->
 </global-method-security>

 <http use-expressions="true">
  <intercept-url pattern="/" access="permitAll" />
  <intercept-url pattern="/login/**" filters="none" />
  <intercept-url pattern="/static/**" filters="none" />
  <intercept-url pattern="/**" access="isAuthenticated()" />
  <form-login login-page="/login/login.jsp"
   default-target-url="/fileList.do" authentication-failure-url="/login/login.jsp?login_error=1" />
  <logout logout-success-url="/login/logout_success.jsp" />
  <!--
   Uncomment to enable X509 client authentication support <x509 />
  -->
  <!-- Uncomment to limit the number of sessions a user can have -->
  <session-management invalid-session-url="/timeout.jsp">
   <concurrency-control max-sessions="1"
    error-if-maximum-exceeded="true" />
  </session-management>
 </http>

편집하다

그럼 내가 오류를 체크 아웃하고 여기에 로그 파일의 상처입니다

내가 로그 오프 할 때

DEBUG [http-8080-2] (FilterChainProxy.java:175) - Converted URL to lowercase, from: '/j_spring_security_logout'; to: '/j_spring_security_logout'
DEBUG [http-8080-2] (FilterChainProxy.java:182) - Candidate is: '/j_spring_security_logout'; pattern is /login/**; matched=false
DEBUG [http-8080-2] (FilterChainProxy.java:175) - Converted URL to lowercase, from: '/j_spring_security_logout'; to: '/j_spring_security_logout'
DEBUG [http-8080-2] (FilterChainProxy.java:182) - Candidate is: '/j_spring_security_logout'; pattern is /static/**; matched=false
DEBUG [http-8080-2] (FilterChainProxy.java:175) - Converted URL to lowercase, from: '/j_spring_security_logout'; to: '/j_spring_security_logout'
DEBUG [http-8080-2] (FilterChainProxy.java:182) - Candidate is: '/j_spring_security_logout'; pattern is /**; matched=true
DEBUG [http-8080-2] (FilterChainProxy.java:350) - /j_spring_security_logout at position 1 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.session.ConcurrentSessionFilter@40ece0'
DEBUG [http-8080-2] (FilterChainProxy.java:350) - /j_spring_security_logout at position 2 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.context.SecurityContextPersistenceFilter@1041876'
DEBUG [http-8080-2] (HttpSessionSecurityContextRepository.java:165) - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@86583dd2: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@86583dd2: Principal: org.springframework.security.core.userdetails.User@2117c700: Username: rod; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_SUPERVISOR,ROLE_TELLER,ROLE_USER; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffe3f86: RemoteIpAddress: 127.0.0.1; SessionId: C6056CE774DE3568943D98A05ABCC744; Granted Authorities: ROLE_SUPERVISOR, ROLE_TELLER, ROLE_USER'
DEBUG [http-8080-2] (FilterChainProxy.java:350) - /j_spring_security_logout at position 3 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.logout.LogoutFilter@174a6e2'
DEBUG [http-8080-2] (LogoutFilter.java:93) - Logging out user 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@86583dd2: Principal: org.springframework.security.core.userdetails.User@2117c700: Username: rod; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_SUPERVISOR,ROLE_TELLER,ROLE_USER; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffe3f86: RemoteIpAddress: 127.0.0.1; SessionId: C6056CE774DE3568943D98A05ABCC744; Granted Authorities: ROLE_SUPERVISOR, ROLE_TELLER, ROLE_USER' and transferring to logout destination
DEBUG [http-8080-2] (AbstractAuthenticationTargetUrlRequestHandler.java:93) - Using default Url: /login/logout_success.jsp
DEBUG [http-8080-2] (DefaultRedirectStrategy.java:34) - Redirecting to '/crvWeb/login/logout_success.jsp'
DEBUG [http-8080-2] (HttpSessionSecurityContextRepository.java:359) - HttpSession is now null, but was not null at start of request; session was invalidated, so do not create a new session
DEBUG [http-8080-2] (SecurityContextPersistenceFilter.java:89) - SecurityContextHolder now cleared, as request processing completed
DEBUG [http-8080-2] (FilterChainProxy.java:175) - Converted URL to lowercase, from: '/login/logout_success.jsp'; to: '/login/logout_success.jsp'
DEBUG [http-8080-2] (FilterChainProxy.java:182) - Candidate is: '/login/logout_success.jsp'; pattern is /login/**; matched=true
DEBUG [http-8080-2] (FilterChainProxy.java:139) -  has an empty filter list

그런 다음 다시 로그인하십시오. 봄에 나는 현재 세션이 있고 로그인을 허용하지 않는다고 말합니다.

로그에 예외를 기록한다. 이유 :이 주체에 대한 최대 세션 수가 1을 초과했습니다.

DEBUG [http-8080-2] (FilterChainProxy.java:175) - Converted URL to lowercase, from: '/j_spring_security_check'; to: '/j_spring_security_check'
DEBUG [http-8080-2] (FilterChainProxy.java:182) - Candidate is: '/j_spring_security_check'; pattern is /login/**; matched=false
DEBUG [http-8080-2] (FilterChainProxy.java:175) - Converted URL to lowercase, from: '/j_spring_security_check'; to: '/j_spring_security_check'
DEBUG [http-8080-2] (FilterChainProxy.java:182) - Candidate is: '/j_spring_security_check'; pattern is /static/**; matched=false
DEBUG [http-8080-2] (FilterChainProxy.java:175) - Converted URL to lowercase, from: '/j_spring_security_check'; to: '/j_spring_security_check'
DEBUG [http-8080-2] (FilterChainProxy.java:182) - Candidate is: '/j_spring_security_check'; pattern is /**; matched=true
DEBUG [http-8080-2] (FilterChainProxy.java:350) - /j_spring_security_check at position 1 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.session.ConcurrentSessionFilter@40ece0'
DEBUG [http-8080-2] (FilterChainProxy.java:350) - /j_spring_security_check at position 2 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.context.SecurityContextPersistenceFilter@1041876'
DEBUG [http-8080-2] (HttpSessionSecurityContextRepository.java:141) - HttpSession returned null object for SPRING_SECURITY_CONTEXT
DEBUG [http-8080-2] (HttpSessionSecurityContextRepository.java:87) - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@e3fda4. A new one will be created.
DEBUG [http-8080-2] (FilterChainProxy.java:350) - /j_spring_security_check at position 3 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.logout.LogoutFilter@174a6e2'
DEBUG [http-8080-2] (FilterChainProxy.java:350) - /j_spring_security_check at position 4 of 10 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@1786a3c'
DEBUG [http-8080-2] (AbstractAuthenticationProcessingFilter.java:193) - Request is to process authentication
DEBUG [http-8080-2] (ProviderManager.java:117) - Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
DEBUG [http-8080-2] (AbstractAuthenticationProcessingFilter.java:318) - Authentication request failed: org.springframework.security.web.authentication.session.SessionAuthenticationException: Maximum sessions of 1 for this principal exceeded
DEBUG [http-8080-2] (AbstractAuthenticationProcessingFilter.java:319) - Updated SecurityContextHolder to contain null Authentication
DEBUG [http-8080-2] (AbstractAuthenticationProcessingFilter.java:320) - Delegating to authentication failure handlerorg.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@21447f
DEBUG [http-8080-2] (SimpleUrlAuthenticationFailureHandler.java:56) - Redirecting to /login/login.jsp?login_error=1
DEBUG [http-8080-2] (DefaultRedirectStrategy.java:34) - Redirecting to '/crvWeb/login/login.jsp?login_error=1'
DEBUG [http-8080-2] (SecurityContextPersistenceFilter.java:89) - SecurityContextHolder now cleared, as request processing completed
DEBUG [http-8080-2] (FilterChainProxy.java:175) - Converted URL to lowercase, from: '/login/login.jsp'; to: '/login/login.jsp'
DEBUG [http-8080-2] (FilterChainProxy.java:182) - Candidate is: '/login/login.jsp'; pattern is /login/**; matched=true
DEBUG [http-8080-2] (FilterChainProxy.java:139) -  has an empty filter list

내 로그 오프가 작동하지 않는 이유는 무엇입니까? 어떻게해야할까요?

해결법

1. ==============================

   1.로깅 수준을 DEBUG로 설정하려면 webapp에 로깅을 구성 했습니까? Spring / SpringSecurity는 그 수준에서 많은 유용한 것들을 출력한다.

   로깅 수준을 DEBUG로 설정하려면 webapp에 로깅을 구성 했습니까? Spring / SpringSecurity는 그 수준에서 많은 유용한 것들을 출력한다.

   편집하다

   로그 파일은 일반적으로 $ CATALINA_HOME / logs에 기록되지만 로깅 속성에 따라 다릅니다.

   webapp의 로깅을 구성하는 간단한 방법은 log4j.properties 또는 log4j.xml 파일을 webapp의 / WEB-INF / classes 디렉토리에 넣는 것입니다.

   클래스 경로를 통해 리소스 파일에 액세스하려면 classes 디렉토리에 있어야합니다. 그러나 다른 방법으로 액세스 할 수 있으면 웹 응용 프로그램 트리의 어느 위치 에나있을 수 있습니다. 트리 외부에 리소스를 배치 할 수도 있지만 리소스를 배포하는 데 문제가 있습니다.

   이 질문은 관련 Tomcat 및 Log4j 문서에서보다 포괄적으로 다루어집니다. Spring의 "시작하기"문서에서도 가능합니다.

2. ==============================

   2.Spring Security는 을 활성화하기 위해 web.xml에 가 필요합니다. docs :

   Spring Security는 을 활성화하기 위해 web.xml에 가 필요합니다. docs :

   <listener>
       <listener-class>
           org.springframework.security.web.session.HttpSessionEventPublisher
       </listener-class>
   </listener>
   

from https://stackoverflow.com/questions/3145936/spring-security-j-spring-security-logout-problem by cc-by-sa and MIT license