我已经在我的应用程序中实现了LDAP身份验证,即使在使用logout方法删除cookie后,我也会遇到身份验证问题 代码段
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().and().authorizeRequests().antMatchers("/login")
.authenticated().and().csrf()
.csrfTokenRepository(csrfTokenRepository()).and()
.addFilterAfter(csrfHeaderFilter(), CsrfFilter.class)
.sessionManagement().maximumSessions(200).expiredUrl("/logout")
.maxSessionsPreventsLogin(true)
.sessionRegistry(sessionRegistry()).and().and().logout()
.deleteCookies("JSESSIONID").deleteCookies("XSRF-TOKEN")
.logoutUrl("/logout").invalidateHttpSession(true)
.logoutSuccessHandler(new LogoutSuccessHandler() {
@Override
public void onLogoutSuccess(HttpServletRequest request,
HttpServletResponse response,
Authentication authentication) throws IOException,
ServletException {
response.sendError(200);
}
}).invalidateHttpSession(true);
}
@Bean
public SessionRegistry sessionRegistry() {
SessionRegistry sessionRegistry = new SessionRegistryImpl();
return sessionRegistry;
}
@Override
protected void configure(AuthenticationManagerBuilder auth)
throws Exception {
auth.ldapAuthentication().userDetailsContextMapper(userDetailsMapper)
.contextSource().and().userSearchFilter(searchfilter)
.userSearchBase(searchbase).groupSearchBase(groupsearchbase)
.contextSource().url(url).managerDn(username)
.managerPassword(password);
}
private Filter csrfHeaderFilter() {
return new OncePerRequestFilter() {
@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
CsrfToken csrf = (CsrfToken) request
.getAttribute(CsrfToken.class.getName());
if (csrf != null) {
Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
String token = csrf.getToken();
if (request.getRequestURI() != null) {
if (request.getRequestURI().toLowerCase()
.substring(1, request.getRequestURI().length())
.equals("login")) {
cookie = new Cookie("XSRF-TOKEN", token);
cookie.setPath("/");
cookie.setMaxAge(expiryTime); // expiry time is 3600 seconds in my case
response.addCookie(cookie);
filterChain.doFilter(request, response);
}
else {
if (cookie != null) {
filterChain.doFilter(request, response);
} else {
response.sendError(403,
"you are not authorized to see this page .Issue has been logged.");
}
}
}
}
}
};
控制器
@RestController
@RequestMapping("/")
public class LoginController {
@Autowired
private CustomUserDetailsContextMapper userDetailsMapper;
@RequestMapping(value = { "/login" }, method = RequestMethod.GET)
public @ResponseBody ResponseEntity<CustomUser> login() {
CustomUser customUser = userDetailsMapper.getUserDetails();
return new ResponseEntity<CustomUser>(customUser, HttpStatus.OK);
}
@RequestMapping(value = { "/logout" }, method = RequestMethod.GET)
public @ResponseBody String logout() {
return "success";
}
/*
* This controller is just for testing ,we can delete it later.
*/
@RequestMapping(value = { "/random/controller" }, method = RequestMethod.GET)
public @ResponseBody HttpStatus retrievelogin1() {
System.out.println("user is " + userDetailsMapper.getUserDetails());
return HttpStatus.ACCEPTED;
}
问题
当我第一次登录然后它工作正常,它要求凭据和一切按预期工作但当我退出并且我再次登录时,它不会要求凭据。
根据代码,注销删除cookie,我可以看到使用请求客户端,但它仍然没有要求凭据。我尝试过不同的浏览器(IE,Firefox,Chrome),我尝试过&#34; ncognito&#34 ;模式,但没有帮助。
似乎浏览器将其存储在缓存中。
当我使用formlogin而不是httpbasic 时,我每次都会看到登录页面但在我的情况下我不能使用formlogin,我必须使用httpbasic。
请告诉我你的想法。如果需要任何信息,请告诉我。
提前致谢,