春季安全註銷重定向到註銷成功，然後立即成爲無效會話頁面

Question

根據文章Spring Security: Redirect to invalid-session-url instead of logout-success-url on successful logout，註銷會話時，Spring Security重定向到用戶定義的無效會話URL。

<session-management invalid-session-url="/invalidSession.jsp"> 
    <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" /> 
</session-management> 

然而，如果註銷，成功URL設置

<logout invalidate-session="true" 
      logout-success-url="/logoutSuccess.jsp" 
      logout-url="/logout" /> 

春天仍然重定向到無效的會話URL重定向到註銷，成功URL後。即使logoutSuccess url不安全，也會發生這種情況。即，

<intercept-url pattern="/logoutSuccess.jsp*" access="permitAll"/> 

這是Spring bug嗎？由於logout-success-url已設置且不安全，因此在達到註銷成功url後，用戶似乎不應該被重定向到無效會話url。

日誌如下所示：

INFO: [DEBUG,SimpleUrlLogoutSuccessHandler] Using default Url: /logoutSuccess.jsp 
INFO: [DEBUG,DefaultRedirectStrategy] Redirecting to '/Application/logoutSuccess.jsp' 
INFO: [DEBUG,HttpSessionSecurityContextRepository] SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. 
INFO: [DEBUG,SecurityContextPersistenceFilter] SecurityContextHolder now cleared, as request processing completed 
INFO: [DEBUG,FilterChainProxy] /logoutSuccess.jsp at position 1 of 10 in additional filter chain; firing Filter: 'ConcurrentSessionFilter' 
INFO: [DEBUG,FilterChainProxy] /logoutSuccess.jsp at position 2 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' 
INFO: [DEBUG,HttpSessionSecurityContextRepository] No HttpSession currently exists 
INFO: [DEBUG,HttpSessionSecurityContextRepository] No SecurityContext was available from the HttpSession: null. A new one will be created. 
INFO: [DEBUG,FilterChainProxy] /logoutSuccess.jsp at position 3 of 10 in additional filter chain; firing Filter: 'LogoutFilter' 
INFO: [DEBUG,FilterChainProxy] /logoutSuccess.jsp at position 4 of 10 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter' 
INFO: [DEBUG,FilterChainProxy] /logoutSuccess.jsp at position 5 of 10 in additional filter chain; firing Filter: 'RequestCacheAwareFilter' 
INFO: [DEBUG,FilterChainProxy] /logoutSuccess.jsp at position 6 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter' 
INFO: [DEBUG,FilterChainProxy] /logoutSuccess.jsp at position 7 of 10 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter' 
INFO: [DEBUG,AnonymousAuthenticationFilter] Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS' 
INFO: [DEBUG,FilterChainProxy] /logoutSuccess.jsp at position 8 of 10 in additional filter chain; firing Filter: 'SessionManagementFilter' 
INFO: [DEBUG,SessionManagementFilter] Requested session ID a396530a530b344ff531ab657e32 is invalid. 
INFO: [DEBUG,SimpleRedirectInvalidSessionStrategy] Starting new session (if required) and redirecting to '/invalidsession.jsp' 
INFO: [DEBUG,HttpSessionEventPublisher] Publishing event: org.springframework.security.web.session.HttpSessionCreatedEvent[source=org.apache.catalina.session.StandardSessionFacade@564c4200] 
INFO: [DEBUG,DefaultRedirectStrategy] Redirecting to '/Application/invalidsession.jsp' 

Answer 1

這在reference manual解釋。總之，「無效會話」功能基於提交的會話cookie的有效性，所以如果您在註銷後訪問站點（或更具體地說是安全篩選器鏈），並且您仍有JSESSIONID cookie，您可能會觸發此不良行爲。

如手動的相同部分所描述的，你可以嘗試使用

<logout invalidate-session="true" 
     logout-success-url="/logoutSuccess.jsp" 
     logout-url="/logout" delete-cookies="JSESSIONID" /> 

註銷時刪除的cookie。

Answer 2

你要小心了，有時用invalidate-session='true'和delete-cookies=JSESSIONID連同用戶可以擁有會話數限制以來，可能讓你當您嘗試登錄，即使「1最大會話這主要超標」錯誤在您註銷後。

建議您只使用Delete-cookies刪除必要的會話信息，當您使用Spring Security 3.1及更高版本時。