提交 b0701ea7 编写于 作者: R Rob Winch

SEC-3068: Update Tutorial to use POST /logout

上级 8cc91086
<?xml version="1.0" encoding="UTF-8"?>
<!--
- Sample namespace-based configuration
-
-->
- Sample namespace-based configuration
-
-->
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
......@@ -19,12 +19,12 @@
<http pattern="/loggedout.jsp" security="none"/>
<http>
<intercept-url pattern="/secure/extreme/**" access="hasRole('supervisor')"/>
<intercept-url pattern="/secure/**" access="isAuthenticated()" />
<intercept-url pattern="/secure/extreme/**" access="hasAuthority('supervisor')"/>
<intercept-url pattern="/secure/**" access="authenticated" />
<!--
Allow all other requests. In a real application you should
adopt a whitelisting approach where access is not allowed by default
-->
Allow all other requests. In a real application you should
adopt a whitelisting approach where access is not allowed by default
-->
<intercept-url pattern="/**" access="permitAll" />
<form-login />
<logout logout-success-url="/loggedout.jsp" delete-cookies="JSESSIONID"/>
......
<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<link rel="stylesheet" href="<c:url value='/static/css/tutorial.css'/>" type="text/css" />
<title>Accounts</title>
</head>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<link rel="stylesheet" href="<c:url value='/static/css/tutorial.css'/>" type="text/css" />
<title>Accounts</title>
</head>
<body>
<div id="content">
......@@ -32,22 +33,26 @@ Anyone can view this page, but posting to an Account requires login and must be
<td><b>Operations</b></td>
</tr>
<c:forEach var="account" items="${accounts}">
<tr>
<td>${account.id}</td>
<td>${account.holder}</td>
<td>${account.balance}</td>
<td>${account.overdraft}</td>
<td>
<a href="post.html?id=${account.id}&amp;amount=-20.00">-$20</a>
<a href="post.html?id=${account.id}&amp;amount=-5.00">-$5</a>
<a href="post.html?id=${account.id}&amp;amount=5.00">+$5</a>
<a href="post.html?id=${account.id}&amp;amount=20.00">+$20</a>
</td>
</tr>
<tr>
<td>${account.id}</td>
<td>${account.holder}</td>
<td>${account.balance}</td>
<td>${account.overdraft}</td>
<td>
<a href="post.html?id=${account.id}&amp;amount=-20.00">-$20</a>
<a href="post.html?id=${account.id}&amp;amount=-5.00">-$5</a>
<a href="post.html?id=${account.id}&amp;amount=5.00">+$5</a>
<a href="post.html?id=${account.id}&amp;amount=20.00">+$20</a>
</td>
</tr>
</c:forEach>
</table>
<p><a href="logout">Logout</a></p>
<p>
<form action="logout" method="post">
<sec:csrfInput />
<input type="submit" value="Logout"/>
</form>
</div>
</body>
</html>
<%@ taglib prefix="authz" uri="http://www.springframework.org/security/tags" %>
<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<link rel="stylesheet" href="<c:url value='/static/css/tutorial.css'/>" type="text/css" />
<title>Secure Page</title>
</head>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<link rel="stylesheet" href="<c:url value='/static/css/tutorial.css'/>" type="text/css" />
<title>Secure Page</title>
</head>
<body>
<div id="content">
<h1>VERY Secure Page</h1>
This is a protected page. You can only see me if you are a supervisor.
<authz:authorize access="hasRole('supervisor')">
You have authority "supervisor" (this text is surrounded by &lt;authz:authorize&gt; tags).
</authz:authorize>
<sec:authorize access="hasAuthority('supervisor')">
You have authority "supervisor" (this text is surrounded by &lt;sec:authorize&gt; tags).
</sec:authorize>
<p><a href="../../">Home</a></p>
<p><a href="../../logout">Logout</a></p>
<form action="../../logout" method="post">
<sec:csrfInput />
<input type="submit" value="Logout"/>
</form>
</div>
</body>
</html>
......@@ -4,11 +4,11 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<link rel="stylesheet" href="<c:url value='/static/css/tutorial.css'/>" type="text/css" />
<title>Secure Page</title>
</head>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<link rel="stylesheet" href="<c:url value='/static/css/tutorial.css'/>" type="text/css" />
<title>Secure Page</title>
</head>
<body>
<div id="content">
......@@ -19,7 +19,7 @@ or if you've authenticated this session.
</p>
<p>
<sec:authorize access="hasRole('supervisor')">
You are a supervisor! You can therefore see the <a href="extreme/index.jsp">extremely secure page</a>.<br/><br/>
You are a supervisor! You can therefore see the <a href="extreme/index.jsp">extremely secure page</a>.<br/><br/>
</sec:authorize>
</p>
<h3>Properties obtained using &lt;sec:authentication /&gt; tag</h3>
......@@ -43,7 +43,11 @@ or if you've authenticated this session.
<p><a href="../">Home</a></p>
<p><a href="../logout">Logout</a></p>
<form action="../logout" method="post">
<sec:csrfInput />
<input type="submit" value="Logout"/>
</form>
</div>
</body>
</html>
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册