1. 首頁
  2. 問答
  3. AngularJS的Spring安全性 - 註銷不起作用

AngularJS的Spring安全性 - 註銷不起作用

2016-08-01 78 views
3

我發現相同的問題和解決方案here。但這些解決方案並沒有幫助我。這個例子你可以得到here。正如你可以看到的例子包含很好的描述註銷客戶端角部分。但它不提供服務器部分的註銷處理。所以我查了LogoutSuccessHandlerAngularJS的Spring安全性 - 註銷不起作用

authentication.isAuthenticated() == true

我試過使用一些實驗,但註銷不起作用。嘗試:

((UsernamePasswordAuthenticationToken) authentication).eraseCredentials(); 


authentication.setAuthenticated(false);

.deleteCookies( 「JSESSIONID」,「XSRF-TOKEN」

 http.httpBasic().and().authorizeRequests() 
       .antMatchers("/index.html", "/home.html", "/login.html", "/").permitAll().anyRequest() 
       .authenticated().and().csrf() 
       .csrfTokenRepository(csrfTokenRepository()).and() 
       .addFilterAfter(csrfHeaderFilter(), CsrfFilter.class); 
     http.authorizeRequests().anyRequest().authenticated() 
       .and().logout().logoutSuccessHandler(logoutSuccess).deleteCookies("JSESSIONID", "XSRF-TOKEN") 
       .invalidateHttpSession(true).permitAll();

結果是一樣的。我希望有人能幫助我解決這個問題。謝謝。

來源

2016-08-01 Sergii

+0

可能,這不是我想的安全問題。這是鉻處理程序問題。我不知道它是如何發生的,但我的Firefox正常工作,IE可以很好地處理它,但鉻有漏洞或破解(似乎是這樣)。 問題一般關閉。但是如果有人知道鉻合金應該修復什麼 - 請告訴我。 (我使用_ ** Ctrl + Shift + Del ** _清除了Chrome和緩存數據中的所有Cookie - 它沒有幫助)。 – Sergii

+0

我檢測到的區別:chrome瀏覽器包含在每個請求頭中**授權:基本dXNlcjpwYXNzd29yZA == **。可能會有助於獲得正確的答案。 – Sergii

+0

1up for the –

回答

3

我敢肯定,這不是安全問題。這是鉻處理程序問題。我不知道它是如何發生的,但我的Firefox工作正常,IE可以很好地處理它。

我已經檢查Chrome瀏覽器設置並發現未來:設置 >>顯示高級設置... >>管理密碼 >>自動登錄國旗被打開。我刪除了這個標誌。問題沒有解決。我更改了我的登錄名application.yml。作爲接受(秀首頁\登錄\註銷等),而Chrome在彈出的窗口詢問登錄密碼(窗口像系統),如果我不重新啓動應用程序IE火狐繼續工作後放在這裏登錄\密碼 - 我看不到任何頁面在鉻(白色標籤錯誤頁面),但如果我把彈出窗口我的憑據 - 我有授權會話。如果我按註銷授權不會消失(重新加載頁面後,我只能看到授權用戶的詳細信息)。

所以我認爲問題是封閉的一般。但是如果有人知道鉻合金應該修復什麼 - 請告訴我。 (我用鉻和緩存數據清理所有的cookie使用Ctrl + Shift + Del - 它沒有幫助)。

添加更多詳情 我的用戶應用程序最後一次是U2。我更名爲application.yml文件到u3。我上次使用chrome與u2,但服務器對用戶u2一無所知。重新啓動服務器後,我嘗試加載主頁 - >比我有身份驗證請求在鉻彈出窗口。服務器日誌,你可以看到下面。

2016-08-02 20:30:35.866 INFO 18404 --- [nio-8080-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/]  : Initializing Spring FrameworkServlet 'dispatcherServlet' 
2016-08-02 20:30:35.867 INFO 18404 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet  : FrameworkServlet 'dispatcherServlet': initialization started 
2016-08-02 20:30:35.883 INFO 18404 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet  : FrameworkServlet 'dispatcherServlet': initialization completed in 16 ms 
2016-08-02 20:30:35.901 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/css/**' 
2016-08-02 20:30:35.901 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/js/**' 
2016-08-02 20:30:35.901 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/images/**' 
2016-08-02 20:30:35.901 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/**/favicon.ico' 
2016-08-02 20:30:35.901 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/error' 
2016-08-02 20:30:35.902 DEBUG 18404 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy  :/at position 1 of 13 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter' 
2016-08-02 20:30:35.903 DEBUG 18404 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy  :/at position 2 of 13 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' 
2016-08-02 20:30:35.903 DEBUG 18404 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists 
2016-08-02 20:30:35.903 DEBUG 18404 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created. 
2016-08-02 20:30:35.906 DEBUG 18404 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy  :/at position 3 of 13 in additional filter chain; firing Filter: 'HeaderWriterFilter' 
2016-08-02 20:30:35.906 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.se[email protected]2583a7b2 
2016-08-02 20:30:35.907 DEBUG 18404 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy  :/at position 4 of 13 in additional filter chain; firing Filter: 'CsrfFilter' 
2016-08-02 20:30:35.925 DEBUG 18404 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy  :/at position 5 of 13 in additional filter chain; firing Filter: '' 
2016-08-02 20:30:35.935 DEBUG 18404 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy  :/at position 6 of 13 in additional filter chain; firing Filter: 'LogoutFilter' 
2016-08-02 20:30:35.935 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/'; against '/logout' 
2016-08-02 20:30:35.935 DEBUG 18404 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy  :/at position 7 of 13 in additional filter chain; firing Filter: 'BasicAuthenticationFilter' 
2016-08-02 20:30:35.937 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.a.www.BasicAuthenticationFilter : Basic Authentication Authorization header found for user 'u2' 
2016-08-02 20:30:35.939 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.authentication.ProviderManager  : Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider 
2016-08-02 20:30:35.940 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.a.dao.DaoAuthenticationProvider : User 'u2' not found 
2016-08-02 20:30:35.941 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.a.www.BasicAuthenticationFilter : Authentication request for failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials 
2016-08-02 20:30:35.941 DEBUG 18404 --- [nio-8080-exec-1] s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest] 
2016-08-02 20:30:35.941 DEBUG 18404 --- [nio-8080-exec-1] s.w.a.DelegatingAuthenticationEntryPoint : No match found. Using default entry point org.springframewor[email protected]32c6200d 
2016-08-02 20:30:35.941 DEBUG 18404 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. 
2016-08-02 20:30:35.942 DEBUG 18404 --- [nio-8080-exec-1] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed

請注意,我沒有在這個請求中使用用戶U2,但你可以在服務器日誌中看到有關此用戶信息:

2016-08-02 20:30:35.937 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.w.a.www.BasicAuthenticationFilter : Basic Authentication Authorization header found for user 'u2' 
2016-08-02 20:30:35.939 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.authentication.ProviderManager  : Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider 
2016-08-02 20:30:35.940 DEBUG 18404 --- [nio-8080-exec-1] o.s.s.a.dao.DaoAuthenticationProvider : User 'u2' not found

看來鑲邊提供意外行爲。 和Example無需額外更改即可正常工作。

P.S.鉻的解決方案。

我想每次如果您使用的是鉻合金,您需要使用隱身模式。在隱身模式你沒有任何令牌第一個請求,隱身模式提供預期的行爲,因爲它應該是無鉻黑客變通方法

來源

2016-08-02 14:30:38 Sergii

+2

爲您的研究投票 –

相關問題

 相關問題