我正在使用Spring Security,尝试设置基本的登录\注销功能。登录工作正常,我将用户存储在MySQL数据库中,我可以登录,但我有登出问题。在主页上我做了一个注销链接,看起来像这样,但当我点击它时,我得到403访问被拒绝,并且用户没有被注销:
<a href="<c:url value="j_spring_security_logout" />" > Logout</a>
这是我的security-context.xml:
<security:authentication-manager>
<security:authentication-provider>
<security:jdbc-user-service data-source-ref="dataSource" />
</security:authentication-provider>
</security:authentication-manager>
<security:http use-expressions="true">
<security:intercept-url pattern="/static/**" access="permitAll" />
<security:intercept-url pattern="/loggedout" access="permitAll" />
<security:intercept-url pattern="/login" access="permitAll" />
<security:intercept-url pattern="/createoffer" access="isAuthenticated()" />
<security:intercept-url pattern="/docreate" access="isAuthenticated()" />
<security:intercept-url pattern="/offercreated" access="isAuthenticated()" />
<security:intercept-url pattern="/newaccount" access="permitAll" />
<security:intercept-url pattern="/createaccount" access="permitAll" />
<security:intercept-url pattern="/accountcreated" access="permitAll" />
<security:intercept-url pattern="/" access="permitAll" />
<security:intercept-url pattern="/offers" access="permitAll" />
<security:intercept-url pattern="/**" access="denyAll" />
<security:logout logout-success-url="/loggedout"/>
<security:form-login login-page="/login"
authentication-failure-url="/login?error=true" />
</security:http>
并且/ loggedout映射到基本的.jsp页面,只是说“你已经注销了”。
此外,当我在未登录时单击注销链接时,它会将我带到登录页面。
我究竟做错了什么?
将此添加为<security:http use-expressions="true">部分中的第一条规则:
<security:intercept-url pattern="/j_spring_security_logout" access="permitAll" />
我刚刚添加了logout-url =“/ j_spring_security_logout”
安全:注销,它现在应该工作..但我认为如果我使用/ j_spring_security_logout作为注销链接,即使没有这个参数它也会工作。
在<security:http use-expressions="true">部分下添加:
<security:csrf disabled="true"/>
为我工作。