论坛首页 Java企业应用论坛

spring security 3.0 logout filter 代码中的一个小bug

浏览 2144 次
锁定老帖子 主题:spring security 3.0 logout filter 代码中的一个小bug
精华帖 (0) :: 良好帖 (0) :: 新手帖 (0) :: 隐藏帖 (0)
作者 正文
  • feiyan35488
  • 等级: 初级会员
  • 性别:
  • 文章: 145
  • 积分: 80
  • 来自: 北京
   发表时间:2011-01-27  
先附上
    
      public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
            throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;

        if (requiresLogout(request, response)) {
            Authentication auth = SecurityContextHolder.getContext().getAuthentication();

            if (logger.isDebugEnabled()) {
                logger.debug("Logging out user '" + auth + "' and transferring to logout destination");
            }

            for (LogoutHandler handler : handlers) {
                handler.logout(request, response, auth);
            }

            logoutSuccessHandler.onLogoutSuccess(request, response, auth);

            return;
        }

        chain.doFilter(request, response);
    }

    /**
     * Allow subclasses to modify when a logout should take place.
     *
     * @param request the request
     * @param response the response
     *
     * @return <code>true</code> if logout should occur, <code>false</code> otherwise
     */
    protected boolean requiresLogout(HttpServletRequest request, HttpServletResponse response) {
        String uri = request.getRequestURI();
        int pathParamIndex = uri.indexOf(';');

        if (pathParamIndex > 0) {
            // strip everything from the first semi-colon
            uri = uri.substring(0, pathParamIndex);
        }

        int queryParamIndex = uri.indexOf('?');

        if (queryParamIndex > 0) {
            // strip everything from the first question mark
            uri = uri.substring(0, queryParamIndex);
        }

        [color=red]if ("".equals(request.getContextPath())) {
            return uri.endsWith(filterProcessesUrl);
        }[/color]

        return [color=red]uri.endsWith(request.getContextPath() + filterProcessesUrl)[/color];
    }

    requiresLogout方法是判断url是否为 logout_url 的,居然用了 endsWith,我进行了测试,只要地址后缀为 j_spring_security_logout 的 都能退出系统。
    而且 if ("".equals(request.getContextPath())) {
            return uri.endsWith(filterProcessesUrl);
        }这段代码貌似没用, 直接用下面那个就能比较出来。
    大家有什么看法?
  
返回顶楼
         
论坛首页 Java企业应用版

跳转论坛:
Global site tag (gtag.js) - Google Analytics