问题
In spring security version 3.0.6, which fixed a CRLF logout exploit (https://jira.springsource.org/browse/SEC-1790) they disabled the use of the 'spring-security-redirect' parameter.
Default support for the redirect parameter in logout URLs has also been removed in 3.0.6. In 3.1 it already needs to be enabled explicitly.
Is there a way to turn the redirect parameter back on, so that I can dynamically redirect in my Grails Spring Security Logout Controller?
LogoutContoller.groovy
def user = springSecurityService.currentUser
if (params.redirect) {
// this needs to log the user out and then redirect, so don't redirect until we log the user out here
log.info "Redirecting " + springSecurityService.currentUser.username + " to " + params.redirect
// the successHandler.targetUrlParameter is spring-security-redirect, which should redirect after successfully logging the user out
redirect uri: SpringSecurityUtils.securityConfig.logout.filterProcessesUrl + "?spring-security-redirect="+params.redirect
return;
}
redirect uri: SpringSecurityUtils.securityConfig.logout.filterProcessesUrl // '/j_spring_security_logout'
The following no longer works for versions of spring security 3.0.6+
回答1:
You can logout programmatically and do manual redirect in a action of controller:
// Bean where Spring Security store logout handlers
def logoutHandlers
// logout action
def logout = {
// Logout programmatically
Authentication auth = SecurityContextHolder.context.authentication
if (auth) {
logoutHandlers.each { handler->
handler.logout(request,response,auth)
}
}
redirect uri:params.redirect
}
回答2:
It is a pretty specialized topic, here is the researched solution:
Here is the 3.0.x commit that removed the redirection: http://git.springsource.org/spring-security/spring-security/commit/a087e828a63edf0932e4eecf174cf816cbe6a58a
The basic idea is that they removed the ability for the default LogoutSuccessHandler bean to handle redirects by removing the targetUrlParameter (setting it to null causes no redirects to happen).
Thus the solution to the problem is to 1) Create a simple LogoutSuccessHandler bean that does not set the targetUrlParameter to null:
/**
* Handles the navigation on logout by delegating to the {@link AbstractAuthenticationTargetUrlRequestHandler}
* base class logic.
*/
public class RedirectLogoutSuccessHandler extends AbstractAuthenticationTargetUrlRequestHandler
implements LogoutSuccessHandler {
public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication)
throws IOException, ServletException {
super.handle(request, response, authentication);
}
}
And
2) Register this bean in resources.groovy
:
logoutSuccessHandler(com.example.package.RedirectLogoutSuccessHandler)
And the default behavior is to allow for the logout redirects to happen.
来源:https://stackoverflow.com/questions/7788487/grails-redirect-post-logout-using-spring-security-core-3-0-6