Hello to all. Screwed the remember-me, if not ticked (remember-me), it works fine.

If you put a tick (remember-me) and then go to the logout page, the system throws it onto the authorization page, but if you go to any closed page, then I log in as an authorized user, i.e. there was virtually no way out and the browser will remember me until the cookies expire.

In the settings I registered to delete "JSESSIONID" and "remember-me", but did not bring any result. How should I describe to exit?

Security Settings

@Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(securedEnabled = true) public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired @Qualifier("userDetailsService") public UserDetailsService userDetailsService; @Autowired public DataSource dataSource; @Autowired public void registerGlobalAuthentication(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(userDetailsService).passwordEncoder(getShaPasswordEncoder()); } @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable().authorizeRequests().antMatchers("/static/**", "/**").permitAll() .anyRequest().permitAll().and(); http.formLogin().loginPage("/login").usernameParameter("login") .passwordParameter("password").and().rememberMe().rememberMeParameter("remember-me") .tokenRepository(persistentTokenRepository()).tokenValiditySeconds(86400).and() .csrf().and().exceptionHandling().accessDeniedPage("/403"); http.logout().permitAll().logoutUrl("/logout").logoutSuccessUrl("/login?logout") .invalidateHttpSession(true).deleteCookies("JSESSIONID"); /* http.exceptionHandling().accessDeniedPage("/403"); */ } @Bean public PersistentTokenRepository persistentTokenRepository() { JdbcTokenRepositoryImpl tokenRepositoryImpl = new JdbcTokenRepositoryImpl(); tokenRepositoryImpl.setDataSource(dataSource); return tokenRepositoryImpl; } @Bean public ShaPasswordEncoder getShaPasswordEncoder() { return new ShaPasswordEncoder(); } }

Service

 @Service public class UserDetailsServiceImpl implements UserDetailsService { @Autowired private UserService userService; @Override @Transactional(readOnly = true) public UserDetails loadUserByUsername(String login) throws UsernameNotFoundException { User user = userService.getUser(login); if (user == null) throw new UsernameNotFoundException("Username not found"); return new org.springframework.security.core.userdetails.User(user.getLogin(), user.getPassword(), true, true, true, true, getGrantedAuthorities(user)); } private List<GrantedAuthority> getGrantedAuthorities(User user) { Set<UserRole> userRols = user.getRols(); List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>(); for (UserRole userRole : userRols) authorities.add(new SimpleGrantedAuthority("ROLE_" + userRole.getRole())); return authorities; } }

Controller part

 @RequestMapping(value = "/login", method = RequestMethod.GET) public String loginPage() { return "login"; } @RequestMapping(value = "/logout", method = RequestMethod.GET) public String logoutPage(HttpServletRequest request, HttpServletResponse response) { Authentication auth = SecurityContextHolder.getContext().getAuthentication(); if (auth != null) new SecurityContextLogoutHandler().logout(request, response, auth); return "redirect:/login?logout"; }

    2 answers 2

    The only thing that worked, so in the controller on the logout is to add the following code before return. Then the output works

      for (Cookie cookie : request.getCookies()) { System.out.println(cookie.getName()); if (cookie.getName().equals("remember-me")) { cookie.setMaxAge(0); response.addCookie(cookie); } }

      AbstractRememberMeServices describes the constant SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY = "remember-me"

      This is the name of the cookie in which the remember-me token is stored. If you haven't changed it, cleaning should help.

      it will be correct

       .deleteCookies(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY)
      • It did not help, I also tried at the very beginning, but not through the "AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY" constant, but on direct "remember-me" - Alex Mandelbrot
      • one
        There is still a fitcha. On the client side, it is assumed that you immediately go under a different user and the client cookie is not cleared. Cook rememder-me remains until the browser is closed. It is also necessary to clean javascript on the logout page. Check if the cookie remains after you close the browser and open it with a new one. - Sergey Mitrofanov
      • If after an exit immediately try to log in, even incorrectly, then the exit occurred. In the barser, rememder-me cook remains after closing. I will add then on the client side the javascript cleanup - Alex Mandelbrot