spring security 3.0 logout filter 代码中的一个小bug

先附上
   
      public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
            throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;

        if (requiresLogout(request, response)) {
            Authentication auth = SecurityContextHolder.getContext().getAuthentication();

            if (logger.isDebugEnabled()) {
                logger.debug("Logging out user '" + auth + "' and transferring to logout destination");
            }

            for (LogoutHandler handler : handlers) {
                handler.logout(request, response, auth);
            }

            logoutSuccessHandler.onLogoutSuccess(request, response, auth);

            return;
        }

        chain.doFilter(request, response);
    }

    /**
     * Allow subclasses to modify when a logout should take place.
     *
     * @param request the request
     * @param response the response
     *
     * @return <code>true</code> if logout should occur, <code>false</code> otherwise
     */
    protected boolean requiresLogout(HttpServletRequest request, HttpServletResponse response) {
        String uri = request.getRequestURI();
        int pathParamIndex = uri.indexOf(';');

        if (pathParamIndex > 0) {
            // strip everything from the first semi-colon
            uri = uri.substring(0, pathParamIndex);
        }

        int queryParamIndex = uri.indexOf('?');

        if (queryParamIndex > 0) {
            // strip everything from the first question mark
            uri = uri.substring(0, queryParamIndex);
        }

        [color=red]if ("".equals(request.getContextPath())) {
            return uri.endsWith(filterProcessesUrl);
        }[/color]

        return [color=red]uri.endsWith(request.getContextPath() + filterProcessesUrl)[/color];
    }

    

    requiresLogout方法是判断url是否为 logout_url 的,居然用了 endsWith,我进行了测试,只要地址后缀为 j_spring_security_logout 的 都能退出系统。
    而且 if ("".equals(request.getContextPath())) {
            return uri.endsWith(filterProcessesUrl);
        }
这段代码貌似没用, 直接用下面那个就能比较出来。
    大家有什么看法?
  

你可能感兴趣的:(spring,Security,J#)