Spring Security沒有始終執行註銷

Question

這裏是我的春節，安全配置：

web.xml中：

<?xml version="1.0" encoding="UTF-8"?> 
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 
       http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" 
    version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"> 

    <context-param> 
     <param-name>contextConfigLocation</param-name> 
     <param-value> 
      classpath:applicationContext-security.xml 
     </param-value> 
    </context-param> 

    <context-param> 
     <param-name>webAppRootKey</param-name> 
     <param-value>tutorial.root</param-value> 
    </context-param> 

    <filter> 
     <filter-name>springSecurityFilterChain</filter-name> 
     <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 
    </filter> 

    <filter-mapping> 
     <filter-name>springSecurityFilterChain</filter-name> 
     <url-pattern>/*</url-pattern> 
    </filter-mapping> 

    <listener> 
     <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> 
    </listener> 

    <listener> 
     <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class> 
    </listener> 

    <servlet> 
     <servlet-name>greetServlet</servlet-name> 
     <servlet-class>ru.andrew.springsecuregwt.server.GreetingServiceImpl</servlet-class> 
    </servlet> 

    <servlet-mapping> 
     <servlet-name>greetServlet</servlet-name> 
     <url-pattern>/springsecuregwt/greet</url-pattern> 
    </servlet-mapping> 

    <welcome-file-list> 
     <welcome-file>Springsecuregwt.html</welcome-file> 
    </welcome-file-list> 
</web-app> 

的applicationContext-security.xml文件：

<?xml version="1.0" encoding="UTF-8"?> 

<beans:beans xmlns="http://www.springframework.org/schema/security" 
    xmlns:beans="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 
         http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> 

    <debug /> 

    <global-method-security pre-post-annotations="enabled" /> 

    <http pattern="/static/**" security="none"/> 
    <http pattern="/loggedout.jsp" security="none"/> 

    <http use-expressions="true"> 
     <intercept-url pattern="/" access="isAuthenticated()" /> 
     <intercept-url pattern="/secure/extreme/**" access="hasRole('supervisor')"/> 
     <intercept-url pattern="/secure/**" access="isAuthenticated()" /> 
     <intercept-url pattern="/**" access="isAuthenticated()" /> 
     <form-login /> 
     <logout logout-success-url="/loggedout.jsp" delete-cookies="JSESSIONID"/> 
     <remember-me /> 
    </http> 

    <beans:bean id="encoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder"/> 

    <authentication-manager> 
     <authentication-provider> 
      <password-encoder ref="encoder"/> 
      <user-service> 
       <user name="rod" password="4efe081594ce25ee4efd9f7067f7f678a347bccf2de201f3adf2a3eb544850b465b4e51cdc3fcdde" authorities="supervisor, user, teller" /> 
       <user name="dianne" password="957ea522524a41cbfb649a3e293d56268f840fd5b661b499b07858bc020d6d223f912e3ab303b00f" authorities="user,teller" /> 
       <user name="scott" password="fb1f9e48058d30dc21c35ab4cf895e2a80f2f03fac549b51be637196dfb6b2b7276a89c65e38b7a1" authorities="user" /> 
       <user name="peter" password="e175750688deee19d7179d444bfaf92129f4eea8b4503d83eb8f92a7dd9cda5fbae73638c913e420" authorities="user" /> 
      </user-service> 
     </authentication-provider> 
    </authentication-manager> 

</beans:beans> 

當我點擊註銷鏈接時，我已成功登錄註銷頁面，但是如果我輸入

localhost:8080/projectname 

在新的Chrome選項卡中，我可以訪問應用程序，無需任何身份驗證頁面。

我該怎麼做，我該如何解決這種安全問題？

Answer 1

Spring remembeMe功能創建一個名爲'SPRING_SECURITY_REMEMBER_ME_COOKIE'的cookie。然後它使用它來驗證。如果您的註銷只會刪除webapp容器會話ID，那麼身份驗證會檢查該cookie，然後檢查是否存在此cookie。所以你需要確保你在註銷時刪除這個cookie。