Spring Security处理登出(Logout)

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Spring Security处理登出(Logout)相关的知识,希望对你有一定的参考价值。

参考技术A

Spring Security内置的东西很多,有时候比较方便,但有时候因不了解其内部机制很可能出现一些问题。这里说下Spring Security对登出的支持。

Security默认的登出地址为: /logout ,在登出后会进行如下操作:

当然除了默认的操作,开发者更希望能自己灵活配置。

LogoutHandler 即在程序执行logout时一起参与执行其中的处理逻辑, 不能抛出异常 ,官方默认提供了几个实现。

在调用完LogoutHandler之后,并且处理成功后调用, 可以抛出异常 ,官方默认提供了两个

在登出的时候区分是 接口登出 还是 页面登出 ,针对不同的登出做不同的处理。

参考: https://docs.spring.io/spring-security/site/docs/5.2.1.RELEASE/reference/htmlsingle/#ns-logout

Spring boot Security 登陆安全配置

实现的效果

  访问url时,如果未登录时跳转到Login界面,要求用户登陆,如果登陆过返回请求的数据。

效果图

访问数据时,未登录返回login界面 

技术图片

 

 

技术图片

 

登陆操作

登陆成功进入登出界面

技术图片

 

 

登陆成功后再次访问数据

技术图片

 

 

 

 

POM 文件

加入 Security 配置,数据库使用maybatis。 

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.1.6.RELEASE</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>

    <groupId>com.gailguo</groupId>
    <artifactId>login</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>login</name>
    <description>Demo project for Spring Boot</description>
    <properties>
        <java.version>1.8</java.version>
    </properties>
    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.mybatis.spring.boot</groupId>
            <artifactId>mybatis-spring-boot-starter</artifactId>
            <version>2.0.1</version>
        </dependency>

        <dependency>
            <groupId>mysql</groupId>
            <artifactId>mysql-connector-java</artifactId>
            <scope>runtime</scope>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-thymeleaf</artifactId>
        </dependency>

    </dependencies>


    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>

</project>

  

 

 

WebSecurityConfigurerAdapter配置Security信息

1.  authorizeRequests() .antMatchers("/user/*").permitAll()  .anyRequest().authenticated() 意思代表 /user 不需要进行授权认证,其他都需要认证。
2 .formLogin().loginPage("/login.html").loginProcessingUrl("/signin").successHandler(successHandler).failureHandler(failureHandler) 设置的登陆界面,和登陆的url 以及登陆成功的handler和失败的handler。
3 .usernameParameter("username").passwordParameter("password").permitAll()  用户名和密码的传参数 

4 .logout().logoutUrl("/signout").logoutSuccessHandler(logoutSuccessHandler).permitAll(); 登出url ,以及handler

5
.csrf().disable()


@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter 

    @Autowired
    private AjaxAuthSuccessHandler successHandler;

    @Autowired
    private AjaxAuthFailureHandler failureHandler;

    @Autowired
    private AjaxLogoutSuccessHandler logoutSuccessHandler;

    @Autowired
    private UserDetailsServiceImpl userDetailsService;

    @Override
    protected void configure(HttpSecurity http) throws Exception 
        http
                .authorizeRequests().antMatchers("/user/*").permitAll() .anyRequest().authenticated()
                .and()
                .csrf().disable()
                .formLogin().loginPage("/login.html").loginProcessingUrl("/signin").successHandler(successHandler).failureHandler(failureHandler)
                .usernameParameter("username").passwordParameter("password").permitAll()
                .and()
                .logout().logoutUrl("/signout").logoutSuccessHandler(logoutSuccessHandler).permitAll();
    

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception 
        auth.userDetailsService(userDetailsService).passwordEncoder(new PasswordEncoder() 
            @Override
            public String encode(CharSequence charSequence) 
                return charSequence.toString();
            

            @Override
            public boolean matches(CharSequence charSequence, String s) 
                return s.equals(charSequence.toString());
            
        );
    

  

 

SimpleUrlAuthenticationSuccessHandler 

 登陆成功时

@Component
public class AjaxAuthSuccessHandler extends SimpleUrlAuthenticationSuccessHandler 

    private static final Logger logger = LoggerFactory.getLogger(AjaxAuthSuccessHandler.class);

    @Override
    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException 
        logger.info("Authentication success,  login successfully", request.getParameter("username"));
        response.setStatus(HttpServletResponse.SC_OK);
        response.sendRedirect("/home.html");
    

 

 

fail

@Component
public class AjaxAuthFailureHandler extends SimpleUrlAuthenticationFailureHandler 

    private static final Logger logger = LoggerFactory.getLogger(AjaxAuthFailureHandler.class);

    @Override
    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException 
        logger.info("Authentication error,  login failed", request.getParameter("username"));
        response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Authentiaction Failed");
    

  

 

loginout success

@Component
public class AjaxLogoutSuccessHandler implements LogoutSuccessHandler 

    private static final Logger logger = LoggerFactory.getLogger(AjaxLogoutSuccessHandler.class);

    @Override
    public void onLogoutSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException, ServletException 
        httpServletResponse.setStatus(HttpServletResponse.SC_OK);
        logger.info("Logout successfully, session id: ", httpServletRequest.getSession().getId());
    

 

 

UserDetailsService

@Service
public class UserDetailsServiceImpl implements UserDetailsService 

    private Map<String, String> userRepository = new HashMap<>();

    @PostConstruct
    private void init() 
        userRepository.put("zhangshan", "123456");
        userRepository.put("guo", "123456");
    

    @Override
    public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException 
        return new User(s, userRepository.get(s), new ArrayList<>());
    

  

 代码:

https://github.com/galibujianbusana/login

  

 

以上是关于Spring Security处理登出(Logout)的主要内容,如果未能解决你的问题,请参考以下文章

前后端分离 Spring Security 对登出.logout()的处理

spring security cas 登出时总是会跳到session-timeout页面怎么处理?

Spring Security6登录用户退出登录操作

Spring Security-登录用户退出登录操作

Spring boot Security 登陆安全配置

Spring Security 可以支持多个入口点吗?