註銷重定向到`/ sessiontimeout`，而不是`/ logout`

Question

我相信，這個問題被問了很多次，但我無法找到一個很好的解決方案。

當用戶點擊註銷時，控件將轉到/sessiontimeout而不是/logout。我已經看到了建議將其值更改爲invalidate-session至false的不同解決方案。如果是這樣，我們如何根據春季標準使會話失效。

我嘗試這個解決方案，但如果我們試圖用相同的用戶重新登錄，它提供了一個本質，以前的會話仍然存在。

<?xml version="1.0" encoding="UTF-8"?> 
<beans:beans xmlns="http://www.springframework.org/schema/security" 
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:aop="http://www.springframework.org/schema/aop" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" 
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd 
     http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd 
     http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd 
     http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.0.xsd"> 

    <context:property-placeholder location="classpath*:META-INF/spring/*.properties"/> 
    <context:component-scan base-package="blah.blah.blah" /> 

    <http pattern="/resources/**" security="none"/> 

    <http access-decision-manager-ref="accessDecisionManager" use-expressions="true">  
<http access-decision-manager-ref="accessDecisionManager" use-expressions="true"> 
      <intercept-url pattern="/login" access="permitAll" /> 
      <intercept-url pattern="/logout" access="permitAll" /> 
      <intercept-url pattern="/loginfailed" access="permitAll" /> 
      <intercept-url pattern="/sessiontimeout" access="permitAll" /> 
      <intercept-url pattern="/sessionTerminated" access="permitAll" /> 
      <logout delete-cookies="JSESSIONID" logout-success-url="/login" logout-url="/logout" invalidate-session="true"/> 
      <session-management session-authentication-error-url="/loginfailed" session-fixation-protection="newSession" invalid-session-url="/sessiontimeout"> 
       <concurrency-control max-sessions="1" error-if-maximum-exceeded="false" expired-url="/sessionTerminated" session-registry-alias="sessionRegistry"/> 
      </session-management> 
    </http> 

    <authentication-manager alias="authenticationManager"> 
     <authentication-provider> 
      <jdbc-user-service data-source-ref="infrastructureDataSource" 
       authorities-by-username-query="//query//" 
       users-by-username-query="//query//" /> 
      <password-encoder ref="passwordEncoder" /> 
     </authentication-provider> 

     <authentication-provider ref="authService" /> 
    </authentication-manager> 


    <beans:bean id="authService" class="blah.blah.blah.blah.AuthServiceImpl" /> 

    <beans:bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/> 

    <beans:bean id="customAuthenticationHandler" class="blah.blah.blah.CustomAuthenticationSuccessHandler" /> 

    <beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" /> 

    <beans:bean id="customApplicationListener" class="blah.blah.blah.CustomApplicationListener" /> 
</beans:beans> 

web.xml中：

<?xml version="1.0" encoding="ISO-8859-1"?> 
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
     xmlns="http://java.sun.com/xml/ns/javaee" 
     xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" 
     id="WebApp_ID" 
     version="2.5" 
     metadata-complete="true"> 

    <!-- Processes application requests --> 
    <servlet> 
     <servlet-name>appContext</servlet-name> 
     <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> 
     <load-on-startup>1</load-on-startup> 
    </servlet> 

    <servlet-mapping> 
     <servlet-name>appContext</servlet-name> 
     <url-pattern>/</url-pattern> 
    </servlet-mapping> 

    <listener> 
     <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> 
    </listener> 
    <listener> 
     <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class> 
    </listener> 

    <session-config> 
     <session-timeout>240</session-timeout> 
    </session-config> 

    <!-- The definition of the Root Spring Container shared by all Servlets and Filters --> 
    <context-param> 
     <param-name>contextConfigLocation</param-name> 
     <param-value>/WEB-INF/appContext-servlet.xml 
        /WEB-INF/spring/root-context.xml 
        /WEB-INF/spring/root-context-security.xml</param-value> 
    </context-param> 

    <!-- Filters --> 
    <filter> 
     <filter-name>springSecurityFilterChain</filter-name> 
     <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 
    </filter> 

<!-- some other stuff --> 

在這裏，我實現了會話偷竊（如果有人用在不同的機器上相同的憑據登錄時，現有用戶必須註銷）和會話超時。

有任何影響，你對此有一個可行的解決方案？

Answer 1

也許你應該將註銷成功 - URL =「/登錄」更改爲其他值。如果仍然不起作用，請嘗試從過濾器鏈中排除logout-success-url（set security ='none'）。

P.S. 我測試了你的代碼，看來問題來自其他一些配置。你可以把你所有的安全配置文件？使用您的實際配置，我正確地重定向到註銷成功url。

Answer 2

解決的辦法是這樣的：

<!-- this is the pattern used in order to disable the filters for logout-success-url --> 
<http pattern="/login**" security="none"></http> 
<http pattern="/resources/**" security="none"/> 

<http access-decision-manager-ref="accessDecisionManager" use-expressions="true">  
<http access-decision-manager-ref="accessDecisionManager" use-expressions="true"> 
      <intercept-url pattern="/logout" access="permitAll" /> 
      <intercept-url pattern="/loginfailed" access="permitAll" /> 
      <intercept-url pattern="/sessiontimeout" access="permitAll" />