i found same problem , solution here. solution have not helped me. example can here. can see example contains description logout in client angular part. not provide logout processing on server part. checked logoutsuccesshandler
authentication.isauthenticated() == true i tried use experiments, logout not work. tried:
((usernamepasswordauthenticationtoken) authentication).erasecredentials(); or
authentication.setauthenticated(false); and .deletecookies("jsessionid", "xsrf-token")
http.httpbasic().and().authorizerequests() .antmatchers("/index.html", "/home.html", "/login.html", "/").permitall().anyrequest() .authenticated().and().csrf() .csrftokenrepository(csrftokenrepository()).and() .addfilterafter(csrfheaderfilter(), csrffilter.class); http.authorizerequests().anyrequest().authenticated() .and().logout().logoutsuccesshandler(logoutsuccess).deletecookies("jsessionid", "xsrf-token") .invalidatehttpsession(true).permitall(); result same. hope can me issue. thanks.
i'm sure, not security issue. chrome handler issue. not know how happens, firefox works correctly, , ie can process in way.
i have checked chrome settings , have found next: settings >> show advanced settings... >> manage passwords >> auto sign-in flag turn on. removed flag. problem not solved. changed login in application.yml. after restarting application ie, firefox continued work accepted (show home page\login\logout , on), but chrome asked login password in popup window (window system), if not put here login\password - can not see page in chrome (whitelabel error page), if put in popup window credentials - have got authorized session. if press logout authorization not disappear (after reloading page can see details authorized users only).
so think question closed in general. if knows should fixed in chrome - please let me know. (i cleaned cookies in chrome , cached data using ctrl+shift+del - not help).
add more details user application last time u2. renamed user in application.yml file u3. used chrome last time u2, server knows nothing user u2. after restarting server tried load home page chrome -> have got authentication request pop window in chrome. server logs can see below.
2016-08-02 20:30:35.866 info 18404 --- [nio-8080-exec-1] o.a.c.c.c.[tomcat].[localhost].[/] : initializing spring frameworkservlet 'dispatcherservlet' 2016-08-02 20:30:35.867 info 18404 --- [nio-8080-exec-1] o.s.web.servlet.dispatcherservlet : frameworkservlet 'dispatcherservlet': initialization started 2016-08-02 20:30:35.883 info 18404 --- [nio-8080-exec-1] o.s.web.servlet.dispatcherservlet : frameworkservlet 'dispatcherservlet': initialization completed in 16 ms 2016-08-02 20:30:35.901 debug 18404 --- [nio-8080-exec-1] o.s.s.w.u.matcher.antpathrequestmatcher : checking match of request : '/'; against '/css/**' 2016-08-02 20:30:35.901 debug 18404 --- [nio-8080-exec-1] o.s.s.w.u.matcher.antpathrequestmatcher : checking match of request : '/'; against '/js/**' 2016-08-02 20:30:35.901 debug 18404 --- [nio-8080-exec-1] o.s.s.w.u.matcher.antpathrequestmatcher : checking match of request : '/'; against '/images/**' 2016-08-02 20:30:35.901 debug 18404 --- [nio-8080-exec-1] o.s.s.w.u.matcher.antpathrequestmatcher : checking match of request : '/'; against '/**/favicon.ico' 2016-08-02 20:30:35.901 debug 18404 --- [nio-8080-exec-1] o.s.s.w.u.matcher.antpathrequestmatcher : checking match of request : '/'; against '/error' 2016-08-02 20:30:35.902 debug 18404 --- [nio-8080-exec-1] o.s.security.web.filterchainproxy : / @ position 1 of 13 in additional filter chain; firing filter: 'webasyncmanagerintegrationfilter' 2016-08-02 20:30:35.903 debug 18404 --- [nio-8080-exec-1] o.s.security.web.filterchainproxy : / @ position 2 of 13 in additional filter chain; firing filter: 'securitycontextpersistencefilter' 2016-08-02 20:30:35.903 debug 18404 --- [nio-8080-exec-1] w.c.httpsessionsecuritycontextrepository : no httpsession exists 2016-08-02 20:30:35.903 debug 18404 --- [nio-8080-exec-1] w.c.httpsessionsecuritycontextrepository : no securitycontext available httpsession: null. new 1 created. 2016-08-02 20:30:35.906 debug 18404 --- [nio-8080-exec-1] o.s.security.web.filterchainproxy : / @ position 3 of 13 in additional filter chain; firing filter: 'headerwriterfilter' 2016-08-02 20:30:35.906 debug 18404 --- [nio-8080-exec-1] o.s.s.w.header.writers.hstsheaderwriter : not injecting hsts header since did not match requestmatcher org.springframework.security.web.header.writers.hstsheaderwriter$securerequestmatcher@2583a7b2 2016-08-02 20:30:35.907 debug 18404 --- [nio-8080-exec-1] o.s.security.web.filterchainproxy : / @ position 4 of 13 in additional filter chain; firing filter: 'csrffilter' 2016-08-02 20:30:35.925 debug 18404 --- [nio-8080-exec-1] o.s.security.web.filterchainproxy : / @ position 5 of 13 in additional filter chain; firing filter: '' 2016-08-02 20:30:35.935 debug 18404 --- [nio-8080-exec-1] o.s.security.web.filterchainproxy : / @ position 6 of 13 in additional filter chain; firing filter: 'logoutfilter' 2016-08-02 20:30:35.935 debug 18404 --- [nio-8080-exec-1] o.s.s.w.u.matcher.antpathrequestmatcher : checking match of request : '/'; against '/logout' 2016-08-02 20:30:35.935 debug 18404 --- [nio-8080-exec-1] o.s.security.web.filterchainproxy : / @ position 7 of 13 in additional filter chain; firing filter: 'basicauthenticationfilter' 2016-08-02 20:30:35.937 debug 18404 --- [nio-8080-exec-1] o.s.s.w.a.www.basicauthenticationfilter : basic authentication authorization header found user 'u2' 2016-08-02 20:30:35.939 debug 18404 --- [nio-8080-exec-1] o.s.s.authentication.providermanager : authentication attempt using org.springframework.security.authentication.dao.daoauthenticationprovider 2016-08-02 20:30:35.940 debug 18404 --- [nio-8080-exec-1] o.s.s.a.dao.daoauthenticationprovider : user 'u2' not found 2016-08-02 20:30:35.941 debug 18404 --- [nio-8080-exec-1] o.s.s.w.a.www.basicauthenticationfilter : authentication request failed: org.springframework.security.authentication.badcredentialsexception: bad credentials 2016-08-02 20:30:35.941 debug 18404 --- [nio-8080-exec-1] s.w.a.delegatingauthenticationentrypoint : trying match using requestheaderrequestmatcher [expectedheadername=x-requested-with, expectedheadervalue=xmlhttprequest] 2016-08-02 20:30:35.941 debug 18404 --- [nio-8080-exec-1] s.w.a.delegatingauthenticationentrypoint : no match found. using default entry point org.springframework.security.web.authentication.www.basicauthenticationentrypoint@32c6200d 2016-08-02 20:30:35.941 debug 18404 --- [nio-8080-exec-1] w.c.httpsessionsecuritycontextrepository : securitycontext empty or contents anonymous - context not stored in httpsession. 2016-08-02 20:30:35.942 debug 18404 --- [nio-8080-exec-1] s.s.w.c.securitycontextpersistencefilter : securitycontextholder cleared, request processing completed please pay attention did not use user u2 in request can see information user in server logs:
2016-08-02 20:30:35.937 debug 18404 --- [nio-8080-exec-1] o.s.s.w.a.www.basicauthenticationfilter : basic authentication authorization header found user 'u2' 2016-08-02 20:30:35.939 debug 18404 --- [nio-8080-exec-1] o.s.s.authentication.providermanager : authentication attempt using org.springframework.security.authentication.dao.daoauthenticationprovider 2016-08-02 20:30:35.940 debug 18404 --- [nio-8080-exec-1] o.s.s.a.dao.daoauthenticationprovider : user 'u2' not found it seems chrome provides unexpected behavior. , example works correctly without additional changes.
p.s. solution chrome.
i think each time if using chrome need use incognito mode. in incognito mode have no token first request, incognito mode provides expected behavior should without chrome hacks or workarounds.
Comments
Post a Comment