Answer the question
In order to leave comments, you need to log in
N
N
Nikolay Baranenko2017-01-21 11:50:31
Nikolay Baranenko, 2017-01-21 11:50:31
Why after logout wabapp lets on the protected part?
Hello.
I always used "my bicycle" for authorization.
Today I decided to try to join the fans of Spring Security.
As an example, it was decided to try an example from the article https://habrahabr.ru/post/226791/ .
source here
https://github.com/elennaro/sshwa/tree/0.2-SNAPSHOT
As a result, WebApp took off, BUT a serious flaw was discovered.
A call to localhost:8000/ redirects me to the Login form . I execute
login - I go to the secure part of
localhost:8000/confidential
Then, on the secure part, I logout
and throws me to the authorization page.
It's okay for now.
BUT if I apply again WITHOUT authorization to
localhost:8000/confidential
security lets me in freely and writes that I logged in under the account from which I logged out earlier.
What is the problem and how to solve it?
1 answer(s)
@drno-reg
Well, the security config itself:
There is a suspicion that it is redundant, but now there is no purpose, desire and time to check, because. projects with Java do not intersect, unfortunately.
A
Alexander Kuznetsov, 2017-01-21 @drno-reg
Let's do it. https://github.com/elennaro/sshwa/tree/0.2-SNAPSHOT - does the app work from here?
If it works, then something is wrong with you. If not, then you need to deal with the configuration, something somewhere did not work.
I myself use the xml-configuration - there have never been any problems with closing areas.
But I want to note that I had problems with the exit, I could not figure out why it did not work.
As a result, the following filters appeared in my web.xml:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/j_spring_security_logout</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>Well, the security config itself:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<beans:bean id="tokenPersistRepo"
class="org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl">
<beans:property name="dataSource" ref="dataSource"/>
</beans:bean>
<beans:bean id="nonAjaxRequestMatcher" class="org.whatever.NonAjaxRequestMatcher"/>
<beans:bean id="loginUrlAuthenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:constructor-arg value="/login"/>
</beans:bean>
<beans:bean id="ajaxAuthenticationEntryPoint"
class="org.springframework.security.web.authentication.HttpStatusEntryPoint">
<beans:constructor-arg name="httpStatus"
value="#{T(org.springframework.http.HttpStatus).UNAUTHORIZED}"/>
</beans:bean>
<beans:bean id="authenticationRequestCache"
class="org.springframework.security.web.savedrequest.HttpSessionRequestCache">
<beans:property name="requestMatcher" ref="nonAjaxRequestMatcher"/>
</beans:bean>
<beans:bean id="authenticationEntryPoint"
class="org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint">
<beans:constructor-arg>
<beans:map>
<beans:entry key-ref="nonAjaxRequestMatcher" value-ref="loginUrlAuthenticationEntryPoint"/>
</beans:map>
</beans:constructor-arg>
<beans:property name="defaultEntryPoint" ref="ajaxAuthenticationEntryPoint"/>
</beans:bean>
<http entry-point-ref="authenticationEntryPoint" use-expressions="true">
<request-cache ref="authenticationRequestCache"/>
<headers>
<frame-options disabled="true"/>
</headers>
<intercept-url pattern="/backend/roles/**" access="hasAnyRole('ROLE_ADMINISTRATOR')"/>
<intercept-url pattern="/backend/**" access="hasAnyRole('ROLE_ADMINISTRATOR', 'ROLE_SYS')"/>
<intercept-url pattern="/registries/**" access="hasAnyRole('ROLE_ADMINISTRATOR', 'ROLE_SYS', 'ROLE_REGISTRY')"/>
<intercept-url pattern="/registries" access="hasAnyRole('ROLE_ADMINISTRATOR', 'ROLE_SYS', 'ROLE_REGISTRY')"/>
<intercept-url pattern="/login/**" access="permitAll"/>
<intercept-url pattern="/logout/**" access="permitAll"/>
<intercept-url pattern="/resources/**" access="permitAll"/>
<intercept-url pattern="/bundles/**" access="permitAll"/>
<intercept-url pattern="/jawr/**" access="permitAll"/>
<intercept-url pattern="/error/**" access="permitAll"/>
<access-denied-handler error-page="/403"/>
<intercept-url pattern="/**" access="isAuthenticated()"/>
<form-login login-page="/login" default-target-url="/"
authentication-failure-url="/login?error" username-parameter="username"
password-parameter="password"/>
<logout logout-success-url="/" logout-url="/j_spring_security_logout" delete-cookies="JSESSIONID,remember-me"/>
<remember-me
key="${app.remember-me-key}"
remember-me-parameter="remember-me"
remember-me-cookie="remember-me"
token-validity-seconds="86400"
token-repository-ref="tokenPersistRepo"/>
<csrf/>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="usersManager">
<password-encoder hash="bcrypt"/>
</authentication-provider>
</authentication-manager>
</beans:beans>There is a suspicion that it is redundant, but now there is no purpose, desire and time to check, because. projects with Java do not intersect, unfortunately.
Similar questions
A
K
A
E
I
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question