Spring-security源码-Filter之LogoutFilter(十三)

合集 - spring-security源码阅读(28)

1.Spring-Security系列导航2021-11-152.spring-security使用-登录(一)2020-12-103.spring-security使用-自定义数据源(二)2020-12-224.spring-security使用-更友好的方式扩展登录AuthenticationProvider(三)2021-01-045.spring-security使用-获得当前用户信息(四)2021-01-056.spring-security使用-同一个账号只允许登录一次(五)2021-01-067.spring-security使用-session共享(六)2021-01-078.spring-security使用-安全防护HttpFirewall(七)2021-01-299.spring-security使用-权限控制(八)2021-11-0310.spring-security源码-初始化(九)2021-11-0411.spring-security源码-如何初始化SecurityFilterChain到Servlet2024-03-1012.spring-security源码-FilterChainProxy2024-03-1013.spring-security源码-Filter之WebAsyncManagerIntegrationFilter(十)2021-11-0914.Spring-security源码-Filter之SecurityContextPersistenceFilter(十一)2021-11-0915.Spring-security源码-Filter之HeaderWriterFilter(十二)2021-11-10

16.Spring-security源码-Filter之LogoutFilter(十三)2021-11-10

17.Spring-security源码-Filter之UsernamePasswordAuthenticationFilter(十四)2021-11-1018.Spring-security源码-Filter之ConcurrentSessionFilter(十五)2021-11-1019.Spring-security源码-Filter之SessionManagementFilter(十六)2021-11-1120.Spring-security源码-Filter之RememberMeAuthenticationFilter(十七)2021-11-1121.Spring-security源码-Filter之ExceptionTranslationFilter(十八)2021-11-1222.Spring-security源码-Filter之FilterSecurityInterceptor(十九)2021-11-1323.Spring-security源码-注解权限原理(二十)2021-11-1324.Spring-security源码-注解权限原理之MethodSecurityInterceptor(二十一)2021-11-1525.Spring-Security基于源码扩展-一套系统多套登录逻辑(二十二)2021-11-1526.Spring-Security基于源码扩展-自定义登录(二十三)2021-11-1527.Spring-Security基于源码扩展-自定义认证失败返回(二十四)2021-11-1528.Spring-Security基于源码扩展-自定义授权注解(二十五)2021-11-15

收起

文章主目录

• LogoutFilter
• <1>
• <2>
• <3>

负责处理登出相关逻辑,默认url映射是/logout

org.springframework.security.config.annotation.web.configurers.LogoutConfigurer 初始化

默认初始化处https://www.cnblogs.com/LQBlog/p/15508248.html#autoid-12-0-0

private void applyDefaultConfiguration(HttpSecurity http) throws Exception {
        //http本质也是build 这里都是配置默认的config configure add CsrfConfigurer
        http.csrf();
        //默认增加一个WebAsyncManagerIntegrationFilter
        http.addFilter(new WebAsyncManagerIntegrationFilter());
        //configures add ExceptionHandlingConfigurer
        http.exceptionHandling();
        //configures add HeadersConfigurer
        http.headers();
        //configures add SessionManagementConfigurer
        http.sessionManagement();
        //configure add SecurityContextConfigurer
        http.securityContext();
        //configure add RequestCacheConfigurer
        http.requestCache();
        ///configure add AnonymousConfigurer
        http.anonymous();
        ///configure add ServletApiConfigurer
        http.servletApi();
        //configure DefaultLoginPageConfigurer
        http.apply(new DefaultLoginPageConfigurer<>());
        //configure LogoutConfigurer
        http.logout();
    }

通过http.logout().addLogoutHandler() 可以自定义handler

回到顶部

LogoutFilter

    private void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        //匹配是否能够处理 默认是/logout
        if (requiresLogout(request, response)) {
            //从SecurityContextHolder 获得Authentication信息
            Authentication auth = SecurityContextHolder.getContext().getAuthentication();
            if (this.logger.isDebugEnabled()) {
                this.logger.debug(LogMessage.format("Logging out [%s]", auth));
            }
            /**
             * 调用CompositeLogoutHandler 他也实现了LogoutHandler 他只是一个统一的管理器
             * 内部循环调用LogoutHandler
             * 默认有三种
             * PersistentTokenBasedRememberMeServices <1>
             * SecurityContextLogoutHandler <2>
             * LogoutSuccessEventPublishingLogoutHandler<3>
             */
            this.handler.logout(request, response, auth);
            //处理登出成功的SimpleUrlLogoutSuccessHandler 比如重定向到登录页
            this.logoutSuccessHandler.onLogoutSuccess(request, response, auth);
            return;
        }
        chain.doFilter(request, response);
    }

回到顶部

<1>

org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices#logout

    @Override
    public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
        //清除cookile
        super.logout(request, response, authentication);
        if (authentication != null) {
            //删除token
            this.tokenRepository.removeUserTokens(authentication.getName());
        }
    }

回到顶部

<2>

org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler#logout

 @Override
    public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
        Assert.notNull(request, "HttpServletRequest required");
        if (this.invalidateHttpSession) {
            HttpSession session = request.getSession(false);
            if (session != null) {
                //清空session
                session.invalidate();
                if (this.logger.isDebugEnabled()) {
                    this.logger.debug(LogMessage.format("Invalidated session %s", session.getId()));
                }
            }
        }
        if (this.clearAuthentication) {
            //清空
            SecurityContext context = SecurityContextHolder.getContext();
            context.setAuthentication(null);
        }
        //清空
        SecurityContextHolder.clearContext();
    }

回到顶部

<3>

发布一个spring的事件我们可以监听这个事件 知道某个用户登出了 参考:https://www.cnblogs.com/LQBlog/p/13878553.html#_label5

org.springframework.security.web.authentication.logout.LogoutSuccessEventPublishingLogoutHandler#logout

@Override
    public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
        if (this.eventPublisher == null) {
            return;
        }
        if (authentication == null) {
            return;
        }
        this.eventPublisher.publishEvent(new LogoutSuccessEvent(authentication));
    }