我们查看源码
从默认的退出api入口,
http.logout();
进入logout方法,
public LogoutConfigurer<HttpSecurity> logout() throws Exception {
return getOrApply(new LogoutConfigurer<HttpSecurity>());
}
我们查看LogoutConfigurer类,默认的退出的url地址是/logout,默认的退出成功跳转的url地址是/login?logout
public final class LogoutConfigurer<H extends HttpSecurityBuilder<H>> extends
AbstractHttpConfigurer<LogoutConfigurer<H>, H> {
private List<LogoutHandler> logoutHandlers = new ArrayList<LogoutHandler>();
private SecurityContextLogoutHandler contextLogoutHandler = new SecurityContextLogoutHandler();
//默认的退出成功跳转的url地址是/login?logout
private String logoutSuccessUrl = "/login?logout";
private LogoutSuccessHandler logoutSuccessHandler;
//默认的退出的url地址是/logout
private String logoutUrl = "/logout";
private RequestMatcher logoutRequestMatcher;
private boolean permitAll;
private boolean customLogoutSuccess;
private LinkedHashMap<RequestMatcher, LogoutSuccessHandler> defaultLogoutSuccessHandlerMappings =
new LinkedHashMap<RequestMatcher, LogoutSuccessHandler>();
/**
* Creates a new instance
* @see HttpSecurity#logout()
*/
public LogoutConfigurer() {
}
...
再往下看,LogoutConfigurer类的getLogoutRequestMatcher()方法,
@SuppressWarnings("unchecked")
private RequestMatcher getLogoutRequestMatcher(H http) {
if (logoutRequestMatcher != null) {
return logoutRequestMatcher;
}
if (http.getConfigurer(CsrfConfigurer.class) != null) {
this.logoutRequestMatcher = new AntPathRequestMatcher(this.logoutUrl, "POST");
}
else {
this.logoutRequestMatcher = new OrRequestMatcher(
new AntPathRequestMatcher(this.logoutUrl, "GET"),
new AntPathRequestMatcher(this.logoutUrl, "POST"),
new AntPathRequestMatcher(this.logoutUrl, "PUT"),
new AntPathRequestMatcher(this.logoutUrl, "DELETE")
);
}
return this.logoutRequestMatcher;
}
如果是启用了csrf模式,退出是使用的post类型,如果没有启动csrf那么启动的是else中的逻辑。
不使用csrf模式,在登录和退出的时候,post请求必须要有token,在login.jsp和logout.jsp中定义如下就是为了设置token。
<input type="hidden" name="${ _csrf.parameterName}" value="${ _csrf.token}" />
spring secuity默认的退出
上面大概看了一下默认的退出源码,我们先使用spring secuity默认的退出,
- 配置类
我们禁用了csrf模式,配置了默认的http.logout();
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("zhangsan").password("123456").roles("GUEST");
auth.inMemoryAuthentication().withUser("zhihao.miao").password("123456").roles("USER");
auth.inMemoryAuthentication().withUser("lisi").password("12345678").roles("USER", "ADMIN");
}
protected void configure(HttpSecurity http) throws Exception {
//禁用csrf模式
http.csrf().disable();
http.authorizeRequests().antMatchers("/hello").hasRole("GUEST");
http.authorizeRequests().antMatchers("/home").hasRole("USER");
http.authorizeRequests().antMatchers("/admin").hasRole("ADMIN");
//登录的跳转页面,和登录的动作url不应该有权限认证。
http.authorizeRequests().antMatchers("/sys/login").permitAll();
//配置登出页面的跳转url地址也有权限访问,不去跳转到登录页面
http.authorizeRequests().antMatchers("/sys/logout").permitAll();
http.authorizeRequests().antMatchers("/**/*.html").permitAll();
http.authorizeRequests().antMatchers("/**/*.css").permitAll();
http.authorizeRequests().antMatchers("/**/*.js").permitAll();
http.authorizeRequests().antMatchers("/**/*.png").access("permitAll");
http.authorizeRequests().anyRequest().authenticated();
http.formLogin().
loginPage("/sys/login").
loginProcessingUrl("/doLogin").
failureForwardUrl("/sys/loginFail"). //使用forward的方式,能拿到具体失败的原因,并且会将错误信息以SPRING_SECURITY_LAST_EXCEPTION的key的形式将AuthenticationException对象保存到request域中
defaultSuccessUrl("/public/login/ok.html"). //如果直接访问登录页面,则登录成功后重定向到这个页面,否则跳转到之前想要访问的页面
permitAll();
//logout默认的url是 /logout,如果csrf启用,则请求方式是POST,否则请求方式是GET、POST、PUT、DELETE
http.logout();
}
}
- 定义controller
我们访问这个/sys/logout的url地址的时候,跳转到退出页面
@GetMapping("/sys/logout")
public String logout(){
return "/jsp/logout";
}
- 定义退出页面
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
</head>
<body>
<a href="/logout">GET logout</a>
<br />
<form action="/logout" method="post">
<input type="hidden" name="${ _csrf.parameterName}" value="${ _csrf.token}" />
<input type="submit" value="POST Logout"/>
</form>
</body>
</html>
- 启动服务,测试一下
访问http://localhost:8001/hello,跳转到登录页面http://localhost:8001/sys/login,输入正确的用户名密码之后跳转到http://localhost:8001/hello,我们想退出,访问http://localhost:8001/sys/logout,跳转到我们定义的退出页面,因为我们禁用了csrf模式,所以退出的请求方式是GET、POST、PUT、DELETE
我们打开另外一个标签栏,点击get请求,退出成功跳转到登录页面,我们再去之前的标签栏刷新http://localhost:8001/hello请求,发现又跳转到登录页面http://localhost:8001/sys/login。
自定义退出
默认的推出url是/logout。我们这边定制的url及一些handler
- 配置类如下:
我们定义了退出url,以及退出url的请求类型是get,定义了三个退出handler,定义了一个退出成功的handler
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("zhangsan").password("123456").roles("GUEST");
auth.inMemoryAuthentication().withUser("zhihao.miao").password("123456").roles("USER");
auth.inMemoryAuthentication().withUser("lisi").password("12345678").roles("USER", "ADMIN");
}
protected void configure(HttpSecurity http) throws Exception {
//禁用csrf模式
http.csrf().disable();
http.authorizeRequests().antMatchers("/hello").hasRole("GUEST");
http.authorizeRequests().antMatchers("/home").hasRole("USER");
http.authorizeRequests().antMatchers("/admin").hasRole("ADMIN");
//登录的跳转页面,和登录的动作url不应该有权限认证。
http.authorizeRequests().antMatchers("/sys/login").permitAll();
//配置登出页面的跳转url地址也有权限访问,不去跳转到登录页面
http.authorizeRequests().antMatchers("/sys/logout").permitAll();
http.authorizeRequests().antMatchers("/**/*.html").permitAll();
http.authorizeRequests().antMatchers("/**/*.css").permitAll();
http.authorizeRequests().antMatchers("/**/*.js").permitAll();
http.authorizeRequests().antMatchers("/**/*.png").access("permitAll");
http.authorizeRequests().anyRequest().authenticated();
http.formLogin().
loginPage("/sys/login").
loginProcessingUrl("/doLogin").
failureForwardUrl("/sys/loginFail"). //使用forward的方式,能拿到具体失败的原因,并且会将错误信息以SPRING_SECURITY_LAST_EXCEPTION的key的形式将AuthenticationException对象保存到request域中
defaultSuccessUrl("/public/login/ok.html"). //如果直接访问登录页面,则登录成功后重定向到这个页面,否则跳转到之前想要访问的页面
permitAll();
//定制退出
http.logout()
//.logoutUrl("/sys/doLogout") //只支持定制退出url
//支持定制退出url以及httpmethod
.logoutRequestMatcher(new AntPathRequestMatcher("/sys/doLogout", "GET"))
.addLogoutHandler((request,response,authentication) -> System.out.println("=====1====="))
.addLogoutHandler((request,response,authentication) -> System.out.println("=====2======"))
.addLogoutHandler((request,response,authentication) -> System.out.println("=====3======"))
.logoutSuccessHandler(((request, response, authentication) -> {
System.out.println("=====4=======");
response.sendRedirect("/html/logoutsuccess1.html");
}))
//.logoutSuccessUrl("/html/logoutsuccess2.html") //成功退出的时候跳转的页面
//.deleteCookies() //底层也是使用Handler实现的额
//清除认证信息
.clearAuthentication(true)
.invalidateHttpSession(true)
; //使session失效
}
}
- 修改登出页面
修改get请求的链接地址是我们新配置的退出url。
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
</head>
<body>
<a href="/sys/doLogout">GET logout</a>
<br />
<form action="/logout" method="post">
<input type="hidden" name="${ _csrf.parameterName}" value="${ _csrf.token}" />
<input type="submit" value="POST Logout"/>
</form>
</body>
</html>
- 定义自己的退出成功页面
logoutsuccess1.html页面的内容如下:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
logout1 success
</body>
</html>
- 启动服务,测试一下
访问http://localhost:8001/hello,跳转到登录页面http://localhost:8001/sys/login,输入正确的用户名密码之后跳转到http://localhost:8001/hello,我们想退出,访问http://localhost:8001/sys/logout,跳转到我们定义的退出页面
我们打开另外一个标签栏,点击get请求,退出成功跳转到登录页面,我们再去之前的标签栏刷新
http://localhost:8001/hello请求,发现又跳转到登录页面http://localhost:8001/sys/login。
控制台打印:
[INFO] Session id node02vrs7ek2u7dfhgwg8q9azjxv0 swapped for new id node011kk0zpcbnr3p14se8mkozjue21
=====1=====
=====2======
=====3======
[INFO] Session node011kk0zpcbnr3p14se8mkozjue21 already being invalidated
=====4=======
