spring-security - Spring Security 注销重定向到注销成功，然后立即重定向到无效 session 页面

Question

根据帖子Spring Security: Redirect to invalid-session-url instead of logout-success-url on successful logout ，当注销 session 时，Spring Security 重定向到用户定义的 invalid-session-url。

<session-management invalid-session-url="/invalidSession.jsp">
    <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</session-management> 

但是，如果设置了注销成功 url

<logout invalidate-session="true" 
            logout-success-url="/logoutSuccess.jsp" 
            logout-url="/logout" />

Spring 在重定向到注销成功 URL 后仍然重定向到无效的 session URL。即使 logoutSuccess url 不安全，也会发生这种情况。即，

<intercept-url pattern="/logoutSuccess.jsp*" access="permitAll"/> 

这是 Spring 的 bug 吗？由于 logout-success-url 已设置且不安全，因此用户在到达注销成功 url 后似乎不应被重定向到无效的 session url。

日志如下所示:

INFO: [DEBUG,SimpleUrlLogoutSuccessHandler] Using default Url: /logoutSuccess.jsp
INFO: [DEBUG,DefaultRedirectStrategy] Redirecting to '/Application/logoutSuccess.jsp'
INFO: [DEBUG,HttpSessionSecurityContextRepository] SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
INFO: [DEBUG,SecurityContextPersistenceFilter] SecurityContextHolder now cleared, as request processing completed
INFO: [DEBUG,FilterChainProxy] /logoutSuccess.jsp at position 1 of 10 in additional filter chain; firing Filter: 'ConcurrentSessionFilter'
INFO: [DEBUG,FilterChainProxy] /logoutSuccess.jsp at position 2 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
INFO: [DEBUG,HttpSessionSecurityContextRepository] No HttpSession currently exists
INFO: [DEBUG,HttpSessionSecurityContextRepository] No SecurityContext was available from the HttpSession: null. A new one will be created.
INFO: [DEBUG,FilterChainProxy] /logoutSuccess.jsp at position 3 of 10 in additional filter chain; firing Filter: 'LogoutFilter'
INFO: [DEBUG,FilterChainProxy] /logoutSuccess.jsp at position 4 of 10 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
INFO: [DEBUG,FilterChainProxy] /logoutSuccess.jsp at position 5 of 10 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
INFO: [DEBUG,FilterChainProxy] /logoutSuccess.jsp at position 6 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
INFO: [DEBUG,FilterChainProxy] /logoutSuccess.jsp at position 7 of 10 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
INFO: [DEBUG,AnonymousAuthenticationFilter] Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
INFO: [DEBUG,FilterChainProxy] /logoutSuccess.jsp at position 8 of 10 in additional filter chain; firing Filter: 'SessionManagementFilter'
INFO: [DEBUG,SessionManagementFilter] Requested session ID a396530a530b344ff531ab657e32 is invalid.
INFO: [DEBUG,SimpleRedirectInvalidSessionStrategy] Starting new session (if required) and redirecting to '/invalidsession.jsp'
INFO: [DEBUG,HttpSessionEventPublisher] Publishing event: org.springframework.security.web.session.HttpSessionCreatedEvent[source=org.apache.catalina.session.StandardSessionFacade@564c4200]
INFO: [DEBUG,DefaultRedirectStrategy] Redirecting to '/Application/invalidsession.jsp'

Answer 1

这在 reference manual 中有解释。 .

总而言之，“无效 session ”功能基于提交的 session cookie 的有效性，因此如果您在注销后访问该站点(或更具体地说，安全过滤器链)，并且您仍然有一个 JSESSIONID cookie，您可能会触发此不良行为。

按照手册同一部分的描述，您可以尝试使用

<logout invalidate-session="true" 
        logout-success-url="/logoutSuccess.jsp" 
        logout-url="/logout" delete-cookies="JSESSIONID" />

注销时删除 cookie。