Spring Security之注销登录

Spring Security支持在继承WebSecurityConfigurerAdapter的配置类中配置注销登录:

HttpSecurity内的logout()方法以一个LogoutConfigurer作为配置基础,创建一个用于注销登录的过滤器:
HttpSecurity:

public LogoutConfigurer<HttpSecurity> logout() throws Exception {
       return (LogoutConfigurer)this.getOrApply(new LogoutConfigurer());
   }

   public HttpSecurity logout(Customizer<LogoutConfigurer<HttpSecurity>> logoutCustomizer) throws Exception {
       logoutCustomizer.customize(this.getOrApply(new LogoutConfigurer()));
       return this;
   }

LogoutConfigurer:

    public void configure(H http) throws Exception {
        LogoutFilter logoutFilter = this.createLogoutFilter(http);
        http.addFilter(logoutFilter);
    }


    private LogoutFilter createLogoutFilter(H http) {
        this.logoutHandlers.add(this.contextLogoutHandler);
        this.logoutHandlers.add(this.postProcess(new LogoutSuccessEventPublishingLogoutHandler()));
        LogoutHandler[] handlers = (LogoutHandler[])this.logoutHandlers.toArray(new LogoutHandler[0]);
        LogoutFilter result = new LogoutFilter(this.getLogoutSuccessHandler(), handlers);
        result.setLogoutRequestMatcher(this.getLogoutRequestMatcher(http));
        result = (LogoutFilter)this.postProcess(result);
        return result;
    }

它默认注册了一个/logout路由,用户通过访问该路由可以安全地注销其登录状态,包括使HttpSession失效、清空已配置的Remember-me验证,以及清空SecurityContextHolder,并在注销成功之后重定向到/login?logout页面。

如有必要,还可以重新配置:

posted @ 2020-06-26 11:04  寒小韩  阅读(1176)  评论(0编辑  收藏  举报