当前位置: 文江博客话题详情

Grails 使用 spring-security-core-3.0.6 重定向注销后

发布于 2024-12-10 18:59:32 字数 1132 浏览 0 评论 0原文

在 Spring Security 版本 3.0.6 中,修复了 CRLF 注销漏洞(https://jira.springsource.org/browse/SEC -1790)他们禁用了“spring-security-redirect”参数的使用。

还默认支持注销 URL 中的重定向参数 在 3.0.6 中被删除。在 3.1 中已经需要启用 明确地。

有没有办法重新打开重定向参数,以便我可以在 Grails Spring Security 注销控制器中动态重定向?

LogoutContoller.groovy

def user = springSecurityService.currentUser

if (params.redirect) {
    // this needs to log the user out and then redirect, so don't redirect until we log the user out here
    log.info "Redirecting " + springSecurityService.currentUser.username + " to " + params.redirect
    // the successHandler.targetUrlParameter is spring-security-redirect, which should redirect after successfully logging the user out
    redirect uri: SpringSecurityUtils.securityConfig.logout.filterProcessesUrl + "?spring-security-redirect="+params.redirect
    return;
}


redirect uri: SpringSecurityUtils.securityConfig.logout.filterProcessesUrl // '/j_spring_security_logout'

以下内容不再适用于 spring security 3.0.6+ 的版本

原文

In spring security version 3.0.6, which fixed a CRLF logout exploit (https://jira.springsource.org/browse/SEC-1790) they disabled the use of the 'spring-security-redirect' parameter.

Default support for the redirect parameter in logout URLs has also
been removed in 3.0.6. In 3.1 it already needs to be enabled
explicitly.

Is there a way to turn the redirect parameter back on, so that I can dynamically redirect in my Grails Spring Security Logout Controller?

LogoutContoller.groovy

def user = springSecurityService.currentUser

if (params.redirect) {
    // this needs to log the user out and then redirect, so don't redirect until we log the user out here
    log.info "Redirecting " + springSecurityService.currentUser.username + " to " + params.redirect
    // the successHandler.targetUrlParameter is spring-security-redirect, which should redirect after successfully logging the user out
    redirect uri: SpringSecurityUtils.securityConfig.logout.filterProcessesUrl + "?spring-security-redirect="+params.redirect
    return;
}


redirect uri: SpringSecurityUtils.securityConfig.logout.filterProcessesUrl // '/j_spring_security_logout'

The following no longer works for versions of spring security 3.0.6+

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

旧故 2024-12-17 18:59:32

您可以以编程方式注销并在控制器的操作中进行手动重定向:

// Bean where Spring Security store logout handlers
def logoutHandlers
// logout action
def logout = {
    // Logout programmatically
        Authentication auth = SecurityContextHolder.context.authentication
    if (auth) {
        logoutHandlers.each  { handler->
            handler.logout(request,response,auth)
        }
    }
    redirect uri:params.redirect
}

You can logout programmatically and do manual redirect in a action of controller:

// Bean where Spring Security store logout handlers
def logoutHandlers
// logout action
def logout = {
    // Logout programmatically
        Authentication auth = SecurityContextHolder.context.authentication
    if (auth) {
        logoutHandlers.each  { handler->
            handler.logout(request,response,auth)
        }
    }
    redirect uri:params.redirect
}
回复 原文
岁月静好 2024-12-17 18:59:32

这是一个非常专业的主题,这里是研究的解决方案:

这是删除重定向的 3.0.x 提交: http://git.springsource.org/spring-security/spring-security/commit/a087e828a63edf0932e4eecf174cf816cbe6a58a

基本思想是,他们通过删除默认 LogoutSuccessHandler bean 来删除处理重定向的能力targetUrlParameter(将其设置为 null 会导致不会发生重定向)。

因此问题的解决方案是
1) 创建一个简单的 LogoutSuccessHandler bean,不将 targetUrlParameter 设置为 null:

/**
 * Handles the navigation on logout by delegating to the {@link AbstractAuthenticationTargetUrlRequestHandler}
 * base class logic.
 */
public class RedirectLogoutSuccessHandler extends AbstractAuthenticationTargetUrlRequestHandler
        implements LogoutSuccessHandler {

    public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication)
            throws IOException, ServletException {
        super.handle(request, response, authentication);
    }

}

并且
2) 在resources.groovy 中注册此bean:

 logoutSuccessHandler(com.example.package.RedirectLogoutSuccessHandler)

默认行为是允许发生注销重定向。

It is a pretty specialized topic, here is the researched solution:

Here is the 3.0.x commit that removed the redirection: http://git.springsource.org/spring-security/spring-security/commit/a087e828a63edf0932e4eecf174cf816cbe6a58a

The basic idea is that they removed the ability for the default LogoutSuccessHandler bean to handle redirects by removing the targetUrlParameter (setting it to null causes no redirects to happen).

Thus the solution to the problem is to
1) Create a simple LogoutSuccessHandler bean that does not set the targetUrlParameter to null:

/**
 * Handles the navigation on logout by delegating to the {@link AbstractAuthenticationTargetUrlRequestHandler}
 * base class logic.
 */
public class RedirectLogoutSuccessHandler extends AbstractAuthenticationTargetUrlRequestHandler
        implements LogoutSuccessHandler {

    public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication)
            throws IOException, ServletException {
        super.handle(request, response, authentication);
    }

}

And
2) Register this bean in resources.groovy:

 logoutSuccessHandler(com.example.package.RedirectLogoutSuccessHandler)

And the default behavior is to allow for the logout redirects to happen.

回复 原文
~没有更多了~

关于作者

楠木可依

暂无简介

0 文章
0 评论
24 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

Gabu-gabumon

文章 0 评论 0

qq_CgiN62

文章 0 评论 0

荔枝明

文章 0 评论 0

赏烟花じ飞满天

文章 0 评论 0

独守阴晴ぅ圆缺

文章 0 评论 0

¤→小豸慧

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文