jeudi 16 avril 2015

How to logout successfully with spring security using FreeMarker

I'm having problems trying to logout from my application, when I press the logout button in my application it shows me the login page again, but if write in the search bar in my browser I can go to any page in my application without having to login again, it seems that when I press the logout link I don't logout at all.


here are my mave dependencies



<!-- SPRING SECURITY -->
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-web</artifactId>
        <version>3.2.5.RELEASE</version>
    </dependency>
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-config</artifactId>
        <version>3.2.4.RELEASE</version>
    </dependency>
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-taglibs</artifactId>
        <version>4.0.0.RELEASE</version>
    </dependency>


I'm using FreeMarkes as my template engine and I use this expression to have access to Jsp Security Tags.



 <#assign security=JspTaglibs["http://ift.tt/1l4yPhO"] />


here is my login controller:



@Controller
@RequestMapping("/login/")

public class LoginControl {



@RequestMapping (value = "login", method = RequestMethod.GET)
public String login (Model model, @RequestParam(value = "logout", required = false) String logout) 
{

    System.out.println(" logut is " + logout);
    return "/login/login";
}
}


And here is my spring security configuration, I'm using a java configuration and no XML



@Configuration
@EnableWebMvcSecurity
public class SeguridadConfiguracion extends WebSecurityConfigurerAdapter {



@Autowired 
private AutrProvider aut;



@Override
protected void configure( HttpSecurity http ) throws Exception 
{
    http
        .authenticationProvider(autenticador)
        .authorizeRequests()
            .antMatchers("/resources/**").permitAll()
            .antMatchers("/css/**").permitAll() 
            .antMatchers("/js/**").permitAll()
            .antMatchers("/img/**").permitAll() 
            .antMatchers("/sound/**").permitAll() 
            .antMatchers("/fonts/**").permitAll()
            .antMatchers("/ajax/**").permitAll()
            .antMatchers("/php/**").permitAll()
            .antMatchers("/xml/**").permitAll()
            .anyRequest().authenticated()
            .and()
            .formLogin()
                .loginPage("/login/login")
                .permitAll()
                .and()
            .logout().logoutSuccessUrl("/login/login?logout")                                    
                .permitAll()
            .and()
                .csrf().disable();

}
}


and my AutProvider class



@Component
public class AutProvider implements AuthenticationProvider {

@Override
public Authentication authenticate(Authentication authentication)
        throws AuthenticationException {

    String name = null;
    String password = null;
    Authentication auth = null;

    try {
        name = authentication.getName();
        password = authentication.getCredentials().toString();

        if (name.equals("admin@admin.com") && password.equals("password")) {
            List<GrantedAuthority> grantedAuths = new ArrayList<>();
            grantedAuths.add(new SimpleGrantedAuthority("PERM_DELETE"));

            auth = new UsernamePasswordAuthenticationToken(name, password, grantedAuths);
        }
    } catch (AuthenticationException e) {
        e.printStackTrace();
        throw e;
    }

    return auth;
}


and here is how I call the logout link in my page



<div id="logout" class="btn-header transparent pull-right">
        <span> <a href="../login/login?logout.html" title="Sign Out" data-action="userLogout" data-logout-msg="You can improve your security further after logging out by closing this opened browser"><i class="fa fa-sign-out"></i></a> </span>
    </div>


I tried changing href="../login/login?logout.html" to href="../j_spring_security_logout"` but when I do this it says 404 not found.


EDIT:


I think that the real problem resides in this lines :


In my spring secuirty configuration class:



 .and()
                .logout().logoutSuccessUrl("/login/login?logout")                                    
                    .permitAll()


This part of My Login Controller:



@RequestMapping (value = "login", method = RequestMethod.GET)
public String login (Model model, @RequestParam(value = "logout", required = false) String logout) 
{

    System.out.println(" logut is " + logout);
    return "/login/login";
}


And this part in page where i call the logout:



<a href="../login/login?logout.html"


I'm very confused with this link: j_spring_security_logout why should I put it in my href if I dont have any controller mapped for that path, is read that that link is some kind of virtual link that is mapped with the path that I put in my spring secuirty configuration class, and I'm not sure but i believed that that link have some kind of functions already defined like closing my session or clearing my crfs tokken (if i later want to use one (since I dont have one in my application right now) ).


Publié par à
Libellés :

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)