java - Why SpringSecurity, after a logout, keeps giving the same authenticated Principal -


so using spring security spring boot. wanted make own authenticationprovider, using db in own way, did authenticate method:

@override     public authentication authenticate(authentication authentication) throws authenticationexception {         string email = authentication.getname();         string password = authentication.getcredentials().tostring();           userwithemail userwithemail = authservice.getuserbyemail(email);         if (userwithemail == null)             return null;         if (userwithemail.getpassword().equals(password)) {                usernamepasswordauthenticationtoken authenticated_user = new usernamepasswordauthenticationtoken(userwithemail, password, arrays.aslist(registered_user_simple_granted_authority));             return authenticated_user;         } else {             return null;         }     }

this, if use default /login page form, works , after if add following modelattribute controller, gets correctly filled userwithemail object:

@modelattribute("userwithemail")     public userwithemail userwithemail(){         authentication authentication = securitycontextholder.getcontext().getauthentication();          object principal = authentication.getprincipal();         if (principal instanceof userwithemail)             return (userwithemail) principal;         else             return null;      }

the problem if hit /login?logout, correctly displays logged out, if go through controller again still same userwithemail object principal , has property authenticated=true

this java config spring security:

http                 .formlogin()                 .defaultsuccessurl( "/" )                 .usernameparameter( "username" )                 .passwordparameter( "password" )                 .and()                  .logout().invalidatehttpsession(true).deletecookies("jsessionid").permitall().and()                  .authorizerequests()                 .antmatchers("*/**").permitall()                 .antmatchers("/static/**").permitall()                 .antmatchers("/profile").hasrole(myauthenticationprovider.registered_user_auth)                  .and().authenticationprovider(getauthprovider());

i'm new spring security maybe i'm missing something... can help?

according docs here csrf post mandatory logging out, csrf token attack protection.

because using custom templating engine had intercept csrf token in model attribute request, this:

@modelattribute("crsf_token") public csrftoken getcrsftoken(httpservletrequest request, model model) {     csrftoken token = (csrftoken) request.getattribute("_csrf");      return token; }

because not getting copied in model templating engine.


Comments

Post a Comment

Popular posts from this blog

jquery - How do you format the date used in the popover widget title of FullCalendar? -

Image
in fullcalendar, how format date used in popover widget title when clicking '+n more'? code: <div class="fc-popover fc-more-popover"> <div class="fc-header fc-widget-header"> <span class="fc-close fc-icon fc-icon-x"></span> <span class="fc-title">tuesday, april 7</span> ... </div> ... </div> you use daypopoverformat that. determines date format of title of popover created eventlimitclick option. must date formatting string. default value "dddd, mmmm d" english , "ll" other languages.
Read more

Bubble Sort Manually a Linked List in Java -

Image
this first question here. trying manually sort linked list of integers in java , can not figure out wrong code. suggestions? don't error, still have output unordered. tried few different ways, nothing worked. appreciate if can me that. public class node { int data; node nextnode; public node(int data) { this.data = data; this.nextnode = null; } public int getdata() { return this.data; } } // node class public class datalinkedlist implements datainterface { private node head; private int size; public datalinkedlist(){ this.head = null; this.size = 0; } public void add(int data) { node node = new node(data); if (head == null) { head = node; } else { node currentnode = head; while(currentnode.nextnode != null) { currentnode = currentnode.nextnode; } currentnode.nextnode = node; ...
Read more

asp.net mvc - SSO between MVCForum and Umbraco7 -

i need integrate sso between mvcforum (forum of company) , umbraco7 (manages cms company). however struggling shared authentication work. tried several ways suggested on other threads still not running expected. here did: 1. in mvcforum (forum.mywebsite.com) 1.1. machine key in web.xml: <machinekey validationkey="the same key umbraco7" decryptionkey="the same key umbraco7" validation="sha1" decryption="aes" /> 1.2. authenticate forms in web.xml <forms name="my-sso-auth" protection="all" path="/" timeout="43200" domain="forum.mywebsite.com" loginurl="/members/logon" enablecrossappredirects="true" /> 2. in umbraco7 (news.mywebsite.com) 2.1. machine key in web.xml: <machinekey validationkey="the same key mvcforum" decryptionkey="the same key mvcforum" validation="sha1" decryption="aes" /> 2.2. a...
Read more