Grails重定向后退出使用spring-security-core-3.0.6 +

Question

Grails重定向后退出使用spring-security-core-3.0.6 +

tma*_*hal 5 grails spring-security grails-plugin grails-controller

在Spring安全版3.0.6中修复了CRLF注销漏洞(https://jira.springsource.org/browse/SEC-1790),他们禁用了'spring-security-redirect'参数.

3.0.6中也删除了对注销URL中的重定向参数的默认支持.在3.1中,它已经需要明确启用.

有没有办法重新打开重定向参数,以便我可以在我的Grails Spring Security Logout Controller中动态重定向？

LogoutContoller.groovy

def user = springSecurityService.currentUser

if (params.redirect) {
    // this needs to log the user out and then redirect, so don't redirect until we log the user out here
    log.info "Redirecting " + springSecurityService.currentUser.username + " to " + params.redirect
    // the successHandler.targetUrlParameter is spring-security-redirect, which should redirect after successfully logging the user out
    redirect uri: SpringSecurityUtils.securityConfig.logout.filterProcessesUrl + "?spring-security-redirect="+params.redirect
    return;
}


redirect uri: SpringSecurityUtils.securityConfig.logout.filterProcessesUrl // '/j_spring_security_logout'

Run Code Online (Sandbox Code Playgroud)

以下内容不再适用于spring security 3.0.6+的版本

Answer 1

小智 15

您可以以编程方式注销并在控制器的操作中执行手动重定向:

// Bean where Spring Security store logout handlers
def logoutHandlers
// logout action
def logout = {
    // Logout programmatically
        Authentication auth = SecurityContextHolder.context.authentication
    if (auth) {
        logoutHandlers.each  { handler->
            handler.logout(request,response,auth)
        }
    }
    redirect uri:params.redirect
}

Run Code Online (Sandbox Code Playgroud)

导入 org.springframework.security.core.Authentication 导入 org.springframework.security.core.context.SecurityContextHolder (2认同)

归档时间：	14 年，8 月前
查看次数：	5887 次
最近记录：	14 年，3 月前