尽管断开连接,我仍然可以访问资源,而无需再次向我的提供商进行身份验证
问题描述 投票:0回答:1
我的应用程序注销不起作用。
当我点击注销按钮时,如果确认注销,我会保持相同的连接->我不需要再次登录即可访问资源,我可以直接访问资源页面。
注销确认窗口不会出现,如果我写 /logout:
但我总是可以再次访问资源而无需登录。
在浏览器控制台中,我有这个:
客户的安全配置:
@Configuration
@EnableWebSecurity
@EnableMethodSecurity(prePostEnabled = true)
public class SecurityConfig {
private final ClientRegistrationRepository clientRegistrationRepository;
public SecurityConfig(ClientRegistrationRepository clientRegistrationRepository){
this.clientRegistrationRepository=clientRegistrationRepository;
}
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.csrf(Customizer.withDefaults())//config par def.
.authorizeHttpRequests(ar-> ar.anyRequest().authenticated())
.headers(h->h.frameOptions(fo->fo.disable()))
.csrf(crsf->crsf.ignoringRequestMatchers("/h2-console/**"))
.authorizeHttpRequests(ar->ar.requestMatchers("/","/webjars/**","/h2-console/**", "/oauth2Login/**").permitAll())
.oauth2Login(al->al.loginPage("/oauth2Login").defaultSuccessUrl("/"))
.logout((logout)->logout
.logoutSuccessHandler(oidcLogoutSuccessHandler())
.logoutSuccessUrl("/").permitAll()
.clearAuthentication(true)
.deleteCookies("JSESSIONID"))
.exceptionHandling(eh->eh.accessDeniedPage("/notAuthorized"));
return http.build();
}
private OidcClientInitiatedLogoutSuccessHandler oidcLogoutSuccessHandler() {
final OidcClientInitiatedLogoutSuccessHandler oidcClientInitiatedLogoutSuccessHandler=
new OidcClientInitiatedLogoutSuccessHandler(this.clientRegistrationRepository);
oidcClientInitiatedLogoutSuccessHandler.setPostLogoutRedirectUri("{baseUrl}?logoutsuccess=true");
return oidcClientInitiatedLogoutSuccessHandler;
}
@Bean
public GrantedAuthoritiesMapper userAuthoritiesMapper() {
return (authorities -> {
final Set<GrantedAuthority> mappedAuthorities=new HashSet<>();
authorities.forEach((authority)->{
if (authority instanceof OidcUserAuthority oidcAuth){
mappedAuthorities.addAll(mappedAuthorities(oidcAuth.getIdToken().getClaims()));
System.out.println(oidcAuth.getAttributes());
} else if (authority instanceof OAuth2UserAuthority oauth2Auth) {
mappedAuthorities.addAll(mappedAuthorities(oauth2Auth.getAttributes()));
}
});
return mappedAuthorities;
});
}
private List<SimpleGrantedAuthority> mappedAuthorities(final Map<String, Object> attributes) {
final Map<String, Object> realmAccess= (Map<String, Object>) attributes.getOrDefault("realm_access", Collections.emptyMap());
final Collection<String> roles=((Collection<String>)realmAccess.getOrDefault("roles", Collections.emptyList()));
return roles.stream()
.map(SimpleGrantedAuthority::new)
.toList();
}
控制器:
@Controller
public class CustomerController {
/**
* acces a interface
*/
private CustomerRepository customerRepository;
private ClientRegistrationRepository clientRegistrationRepository;
public CustomerController(CustomerRepository customerRepository, ClientRegistrationRepository registrationRepository) {
this.customerRepository = customerRepository;
this.clientRegistrationRepository = clientRegistrationRepository;
}
@GetMapping("/customers")
@PreAuthorize("hasAuthority('ADMIN')")
public String customers(Model model){
List<Customer> customersList = customerRepository.findAll();
model.addAttribute("customers", customersList);
return "customers";//return attributeName du model=CustomerList
}
@GetMapping("/products")
public String products(Model model){
SecurityContext context= SecurityContextHolder.getContext();
Authentication authentication = context.getAuthentication();
OAuth2AuthenticationToken oAuth2AuthenticationToken = (OAuth2AuthenticationToken) authentication;
DefaultOidcUser oidcUser= (DefaultOidcUser) oAuth2AuthenticationToken.getPrincipal();
String jwtTokenValue=oidcUser.getIdToken().getTokenValue();
RestClient restClient= RestClient.create("http://localhost:8085");
List<Product> products=restClient.get()
.uri("/products")
.headers(httpHeaders ->httpHeaders.set(HttpHeaders.AUTHORIZATION,"Bearer"+"jwtTokenValue"))
.retrieve()
.body(new ParameterizedTypeReference<>() {});
model.addAttribute("products", products);
return "products";
}
@GetMapping("/auth")
@ResponseBody
public Authentication auth(Authentication authentication){
return authentication;
}
@GetMapping("/")
public String index(){
return "index";
}
@GetMapping("/notAuthorized")
public String notAuthorized(){
return "notAuthorized";
}
@GetMapping("/oauth2Login")
public String oauth2Login(Model model){
String authorizationRequestBaseUri="oauth2/authorization";
Map<String, String> oauth2AuthenticationUrls=new HashMap();
Iterable<ClientRegistration> clientRegistrations=(Iterable<ClientRegistration>)clientRegistrationRepository;
clientRegistrations.forEach(clientRegistration->{
oauth2AuthenticationUrls.put(clientRegistration.getClientName(),
authorizationRequestBaseUri+"/"+ clientRegistration.getRegistrationId());
});
model.addAttribute("urls",oauth2AuthenticationUrls);
return "oauth2Login";
}
感谢您的帮助。
1个回答
0
投票
投票
对
/logoutPOST一旦修复了 HTTP 谓词(发送
POSTGET最新问题
- 将 MediaWiki 的输出转换为纯文本
- 为什么`echo`会解释为“ " 仅在交互式 shell 中作为换行符,而不是在执行 shell 脚本时作为换行符?
- 自动更新 Google Apps 脚本网络应用程序
- Xcode 6 CocoaPods 错误:目标覆盖 `OTHER_LDFLAGS` 构建设置
- 无法安装 ruby 运行'__rvm_make -j4'时出错,
- Vim:Fugitive:Glog - 如何获取当前文件的提交而不是修订版
- 如何使用不包含 txnId 的 API 调用结果深度链接到 QuickBooks Online
- 当我们有 AJAX 时,为什么还需要 <form/>?
- 如何替换某个字符的所有出现,但如果该字符是字符串中的第一个字符则不替换?
- 为什么 req.cookies 未定义?
- 如何找出特定 NSScreen 上是否有全屏应用程序运行
- 为什么调用方法时会出现渲染错误(未定义函数错误),而属性却可以?
- 如何使用 string_replace() 进行包含方括号的替换?
- 对于我使用 GB、树和随机森林进行房价数据分析,我的 MSE 太高了
- R 公式/表达式中标识符的范围
- 如何使用for循环为多个数据帧选择特定列?
- 表达式无法在函数内找到对象
- 在客户端注册的令牌响应中获取 [invalid_id_token] 缺少(必需)ID 令牌:github
- discord.py 在树莓派上的音频差异
- fl_chart 条形图的样式和动画问题
© www.soinside.com 2019 - 2024. All rights reserved.