Grails Redirect Post-Logout Using spring-security-

2019-02-14 03:42发布

站内问答 / 前沿技术
580 2 4

In spring security version 3.0.6, which fixed a CRLF logout exploit (https://jira.springsource.org/browse/SEC-1790) they disabled the use of the 'spring-security-redirect' parameter.

Default support for the redirect parameter in logout URLs has also been removed in 3.0.6. In 3.1 it already needs to be enabled explicitly.

Is there a way to turn the redirect parameter back on, so that I can dynamically redirect in my Grails Spring Security Logout Controller?

LogoutContoller.groovy

def user = springSecurityService.currentUser

if (params.redirect) {
    // this needs to log the user out and then redirect, so don't redirect until we log the user out here
    log.info "Redirecting " + springSecurityService.currentUser.username + " to " + params.redirect
    // the successHandler.targetUrlParameter is spring-security-redirect, which should redirect after successfully logging the user out
    redirect uri: SpringSecurityUtils.securityConfig.logout.filterProcessesUrl + "?spring-security-redirect="+params.redirect
    return;
}


redirect uri: SpringSecurityUtils.securityConfig.logout.filterProcessesUrl // '/j_spring_security_logout'

The following no longer works for versions of spring security 3.0.6+

2条回答
再贱就再见
2楼-- · 2019-02-14 03:52

You can logout programmatically and do manual redirect in a action of controller:

// Bean where Spring Security store logout handlers
def logoutHandlers
// logout action
def logout = {
    // Logout programmatically
        Authentication auth = SecurityContextHolder.context.authentication
    if (auth) {
        logoutHandlers.each  { handler->
            handler.logout(request,response,auth)
        }
    }
    redirect uri:params.redirect
}
查看更多
0人赞 添加讨论(0) 举报
走好不送
3楼-- · 2019-02-14 03:58

It is a pretty specialized topic, here is the researched solution:

Here is the 3.0.x commit that removed the redirection: http://git.springsource.org/spring-security/spring-security/commit/a087e828a63edf0932e4eecf174cf816cbe6a58a

The basic idea is that they removed the ability for the default LogoutSuccessHandler bean to handle redirects by removing the targetUrlParameter (setting it to null causes no redirects to happen).

Thus the solution to the problem is to 1) Create a simple LogoutSuccessHandler bean that does not set the targetUrlParameter to null:

/**
 * Handles the navigation on logout by delegating to the {@link AbstractAuthenticationTargetUrlRequestHandler}
 * base class logic.
 */
public class RedirectLogoutSuccessHandler extends AbstractAuthenticationTargetUrlRequestHandler
        implements LogoutSuccessHandler {

    public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication)
            throws IOException, ServletException {
        super.handle(request, response, authentication);
    }

}

And 2) Register this bean in resources.groovy:

 logoutSuccessHandler(com.example.package.RedirectLogoutSuccessHandler)

And the default behavior is to allow for the logout redirects to happen.

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)