spring-security doc logout
2017-06-28 08:45
141 查看
18.5.3 Logging Out
Adding CSRF will update the LogoutFilter to only use HTTP POST. This ensures that log out requires a CSRF token and that a malicious user cannot forcibly log out your users.One approach is to use a form for log out. If you really want a link, you can use JavaScript to have the link perform a POST (i.e. maybe on a hidden form). For browsers with JavaScript that is disabled, you can optionally have the link take the user to a log out confirmation page that will perform the POST.
If you really want to use HTTP GET with logout you can do so, but remember this is generally not recommended. For example, the following Java Configuration will perform logout with the URL /logout is requested with any HTTP method:
@EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .logout() .logoutRequestMatcher(new AntPathRequestMatcher("/logout")); } }
http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#csrf-logout
34down voteaccepted | From the Spring Security documentation CSRF protection is enabled by default with Java configuration. If you would like to disable CSRF, the corresponding Java configuration can be seen below. Refer to the Javadoc of csrf() for additional customizations in how CSRF protection is configured. And, when CSRF protection is enabled The last step is to ensure that you include the CSRF token in all PATCH, POST, PUT, and DELETE methods. In your case: you have CSRF protection enabled by default (because you are using Java configuration), you are submitting the login form using an HTTP POST and are not including the CSRF token in the login form. For this reason, your login request is denied upon submission because the CSRF protection filter cannot find the CSRF token in the incoming request. You have already determined the possible solutions: Disable CSRF protection as http.csrf().disable(); or Include the CSRF token in the login form as a hidden parameter. Since you are using Thymeleaf, you will have to do something like the following in your HTML template for the login page: <form name="f" th:action="@{/login}" method="post"> <fieldset> <input type="hidden" th:name="${_csrf.parameterName}" th:value="${_csrf.token}" /> ... </fieldset> </form> Note that you must use th:actionand not HTML actionas the Thymeleaf CSRF processor will kick-in only with the former. You could change the form submission method to GETjust to get over the problem but that isn't recommended since the users are going to submit sensitive information in the form. I typically create a Thymeleaf fragment that is then used in all pages with forms to generate the markup for the forms with the CSRF token included. This reduces boilerplate code across the app. |
相关文章推荐
- Struts+Spring+JDBC 简单配置
- spring2.5 jdbcTemplate学习笔记
- 基于spring 3 注解的junit测试
- Spring3开发实战 之 第二章:IoC/DI开发(1)
- Spring.....session什么时候关闭问题
- Spring获得初始化容器
- org.springframework.core.NestedIOException
- Spring加载静态资源的方式
- 如何在一个Spring工程下使用多数据源配置的改进实现
- java.lang.ClassNotFoundException: org.springframework.web.context.ContextLoaderListener
- 力所能及之springmvc NetworkError: 415 Unsupported Media Type
- Spring学习(三)ioc工厂bean深入理解
- 项目中new一个Spring管理的bean
- Spring的事务管理机制学习(设计模式之策略模式)
- 毕设—spring 和 hibernate在整合声明式事务的时候会报错
- Spring AOP 实现系统操作日志记录
- junit+spring Test.jar 单元测试
- Spring中BeanPostProcessor
- Spring 4 官方文档学习(十一)Web MVC 框架之HTTP caching support
- springboot 使用第三方tomcat 运行