更新时间:2023-09-19 12:35:40
The answer could be in the description of the create-session
attribute:
never
-Spring Security永远不会创建会话,但如果应用程序创建会话,则会使用一个会话.stateless
-Spring Security将不会创建会话,并且会忽略该会话以获取Spring身份验证.never
- Spring Security will never create a session, but will make use of one if the application does.stateless
- Spring Security will not create a session and ignore the session for obtaining a Spring Authentication.由于您选择了stateless
,因此在忽略表单登录后,auth对象将保留在会话中.尝试never
是否按预期工作.
Since you chose stateless
the auth object persisted in the session after the form-login is ignored. Try if never
works as you expect.