我正在使用基本认证来保护我正在开发的初始REST web服务。一切似乎工作正常,但是退出路径似乎不起作用。如文档所述,它重定向到"/login?logout",但我的用户似乎仍然没有注销。(即,我仍可以访问页面X而不是预期的页面Y)。
应用程序配置:
@Configuration
@ComponentScan
@EnableAutoConfiguration(exclude = ManagementSecurityAutoConfiguration.class)
@EnableWebSecurity
@EnableSwagger
public class Application {
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
@Configuration
protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic()
.and().authorizeRequests().antMatchers("/manage/**").hasRole("ADMIN")
.anyRequest().fullyAuthenticated()
.and().logout().permitAll().logoutRequestMatcher(new AntPathRequestMatcher("/logout", HttpMethod.GET.toString())).invalidateHttpSession(true);
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("admin").password("admin").roles("ADMIN", "USER").and().withUser("user").password("user").roles("USER");
}
}
}
请注意,总的来说安全措施似乎已经生效。我可以打开一个新的无痕标签,身份验证/安全措施按预期工作。
2014-08-07 16:58:36.931 INFO 2132 --- [nio-8080-exec-2] o.s.b.a.audit.listener.AuditListener : AuditEvent [timestamp=Thu Aug 07 16:58:36 EDT 2014, principal=user, type=AUTHENTICATION_SUCCESS, data={details=org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null}]
- bvulaj