Spring Security 退出
Spring Security是一个可以为基于Spring的企业应用系统提供声明式的安全访问控制解决方案的安全框架。它提供了一组能够在Spring应用上下文中配置的Bean,充分利用了Spring IoC,DI(控制反转Inversion of Control ,DI:Dependency Injection 依赖注入)和AOP(面向切面编程)功能,为应用系统提供声明式的安全访问控制功能,减小了为企业系统安全控制编写大量重复代码的工做。html
退出原理
- 清除
Cookie(若是有 - CookieClearingLogoutHandler) - 清除当前用户的
remember-me记录(若是有 - TokenBasedRememberMeServices) - Clears the CsrfToken (若有有csrf - CsrfLogoutHandler)
- 使当前
session失效 (SecurityContextLogoutHandler) - 清空当前的
SecurityContext(SecurityContextLogoutHandler) - 重定向到登陆界面 (logoutSuccessHandler - SimpleUrlLogoutSuccessHandler)
Spring Security的退出请求(默认为/logout)由LogoutFilter过滤器拦截处理。java
退出的实现
- 主页中添加退出连接
<a href="/signOut">退出</a>
......
.and()
.logout()
.logoutUrl("/signOut")//自定义退出的地址
.logoutSuccessUrl("/register")//退出以后跳转到注册页面
.deleteCookies("JSESSIONID")//删除当前的JSESSIONID
.and()
......
效果以下
源码分析
LogoutFilter#doFilter
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
//#1.匹配到/logout请求
if (requiresLogout(request, response)) {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (logger.isDebugEnabled()) {
logger.debug("Logging out user '" + auth
+ "' and transferring to logout destination");
}
//#2.处理1-4步
this.handler.logout(request, response, auth);
//#3.重定向到注册界面
logoutSuccessHandler.onLogoutSuccess(request, response, auth);
return;
}
chain.doFilter(request, response);
}
- 匹配当前拦截的请求
- 处理 清空
Cookie、remember-me、session和SecurityContext - 重定向到登陆界面
handler
CookieClearingLogoutHandler清空CookiePersistentTokenBasedRememberMeServices清空remember-meCsrfLogoutHandlerClears the CsrfTokenXSRF-TOKENSecurityContextLogoutHandler使当前session无效,清空当前的SecurityContext
CookieClearingLogoutHandler#logout
public void logout(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) {
for (String cookieName : cookiesToClear) {
//# 1.Cookie置为null
Cookie cookie = new Cookie(cookieName, null);
String cookiePath = request.getContextPath();
if (!StringUtils.hasLength(cookiePath)) {
cookiePath = "/";
}
cookie.setPath(cookiePath);
cookie.setMaxAge(0);
response.addCookie(cookie);
}
}
Cookie置为null
PersistentTokenBasedRememberMeServices#logout
public void logout(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) {
super.logout(request, response, authentication);
if (authentication != null) {
//#1.清空persistent_logins表中记录
tokenRepository.removeUserTokens(authentication.getName());
}
}
- 清空persistent_logins表中记录
SecurityContextLogoutHandler#logout
public void logout(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) {
Assert.notNull(request, "HttpServletRequest required");
if (invalidateHttpSession) {
HttpSession session = request.getSession(false);
if (session != null) {
logger.debug("Invalidating session: " + session.getId());
//#1.使当前session失效
session.invalidate();
}
}
if (clearAuthentication) {
SecurityContext context = SecurityContextHolder.getContext();
//#2.清空当前的`SecurityContext`
context.setAuthentication(null);
}
SecurityContextHolder.clearContext();
}
- 使当前session失效
- 清空当前的
SecurityContext
AbstractAuthenticationTargetUrlRequestHandler#handle
protected void handle(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) throws IOException, ServletException {
//#1.获取配置的跳转地址
String targetUrl = determineTargetUrl(request, response);
if (response.isCommitted()) {
logger.debug("Response has already been committed. Unable to redirect to "
+ targetUrl);
return;
}
//#2.跳转请求
redirectStrategy.sendRedirect(request, response, targetUrl);
}
- 获取配置的跳转地址
- 跳转请求
代码下载
从个人 github 中下载,https://github.com/longfeizheng/logbackgit
相关文章
- 1. Spring Security源码分析八:Spring Security 退出
- 2. Spring-Security-入门(一):登录与退出
- 3. SpringBoot+Spring Security退出登陆/自定义退出
- 4. Spinrg Security原理 ------退出(一)
- 5. Spring Cloud【Spring Security OAuth2 OSS logout 】单点登录退出
- 6. Spring Security 实战干货:实现自定义退出登陆
- 7. 【Spring Security OAuth2笔记系列】- Spring Social第三方登陆 - 退出登陆
- 8. Spring Security
- 9. spring security method security
- 10. Spring Security(七):2.4 Getting Spring Security
- 更多相关文章...
- • SVN 版本回退 - SVN 教程
- • XSL-FO 输出 - XSL-FO 教程
- • Spring Cloud 微服务实战(三) - 服务注册与发现
- • SpringBoot中properties文件不能自动提示解决方法
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. python的安装和Hello,World编写
- 2. 重磅解读:K8s Cluster Autoscaler模块及对应华为云插件Deep Dive
- 3. 鸿蒙学习笔记2(永不断更)
- 4. static关键字 和构造代码块
- 5. JVM笔记
- 6. 无法启动 C/C++ 语言服务器。IntelliSense 功能将被禁用。错误: Missing binary at c:\Users\MSI-NB\.vscode\extensions\ms-vsc
- 7. 【Hive】Hive返回码状态含义
- 8. Java树形结构递归(以时间换空间)和非递归(以空间换时间)
- 9. 数据预处理---缺失值
- 10. 都要2021年了,现代C++有什么值得我们学习的?
欢迎关注本站公众号,获取更多信息
相关文章
- 1. Spring Security源码分析八:Spring Security 退出
- 2. Spring-Security-入门(一):登录与退出
- 3. SpringBoot+Spring Security退出登陆/自定义退出
- 4. Spinrg Security原理 ------退出(一)
- 5. Spring Cloud【Spring Security OAuth2 OSS logout 】单点登录退出
- 6. Spring Security 实战干货:实现自定义退出登陆
- 7. 【Spring Security OAuth2笔记系列】- Spring Social第三方登陆 - 退出登陆
- 8. Spring Security
- 9. spring security method security
- 10. Spring Security(七):2.4 Getting Spring Security