Grails Redirect Post-Logout Using spring-security-core-3.0.6+

天大地大妈咪最大 提交于 2019-12-19 03:20:09

问题


In spring security version 3.0.6, which fixed a CRLF logout exploit (https://jira.springsource.org/browse/SEC-1790) they disabled the use of the 'spring-security-redirect' parameter.

Default support for the redirect parameter in logout URLs has also been removed in 3.0.6. In 3.1 it already needs to be enabled explicitly.

Is there a way to turn the redirect parameter back on, so that I can dynamically redirect in my Grails Spring Security Logout Controller?

LogoutContoller.groovy

def user = springSecurityService.currentUser

if (params.redirect) {
    // this needs to log the user out and then redirect, so don't redirect until we log the user out here
    log.info "Redirecting " + springSecurityService.currentUser.username + " to " + params.redirect
    // the successHandler.targetUrlParameter is spring-security-redirect, which should redirect after successfully logging the user out
    redirect uri: SpringSecurityUtils.securityConfig.logout.filterProcessesUrl + "?spring-security-redirect="+params.redirect
    return;
}


redirect uri: SpringSecurityUtils.securityConfig.logout.filterProcessesUrl // '/j_spring_security_logout'

The following no longer works for versions of spring security 3.0.6+


回答1:


You can logout programmatically and do manual redirect in a action of controller:

// Bean where Spring Security store logout handlers
def logoutHandlers
// logout action
def logout = {
    // Logout programmatically
        Authentication auth = SecurityContextHolder.context.authentication
    if (auth) {
        logoutHandlers.each  { handler->
            handler.logout(request,response,auth)
        }
    }
    redirect uri:params.redirect
}



回答2:


It is a pretty specialized topic, here is the researched solution:

Here is the 3.0.x commit that removed the redirection: http://git.springsource.org/spring-security/spring-security/commit/a087e828a63edf0932e4eecf174cf816cbe6a58a

The basic idea is that they removed the ability for the default LogoutSuccessHandler bean to handle redirects by removing the targetUrlParameter (setting it to null causes no redirects to happen).

Thus the solution to the problem is to 1) Create a simple LogoutSuccessHandler bean that does not set the targetUrlParameter to null:

/**
 * Handles the navigation on logout by delegating to the {@link AbstractAuthenticationTargetUrlRequestHandler}
 * base class logic.
 */
public class RedirectLogoutSuccessHandler extends AbstractAuthenticationTargetUrlRequestHandler
        implements LogoutSuccessHandler {

    public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication)
            throws IOException, ServletException {
        super.handle(request, response, authentication);
    }

}

And 2) Register this bean in resources.groovy:

 logoutSuccessHandler(com.example.package.RedirectLogoutSuccessHandler)

And the default behavior is to allow for the logout redirects to happen.



来源:https://stackoverflow.com/questions/7788487/grails-redirect-post-logout-using-spring-security-core-3-0-6

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!