Spring Security原始碼分析八：Spring Security 退出

Spring Security是一個能夠為基於Spring的企業應用系統提供宣告式的安全訪問控制解決方案的安全框架。它提供了一組可以在Spring應用上下文中配置的Bean，充分利用了Spring IoC，DI（控制反轉Inversion of Control ,DI:Dependency Injection 依賴注入）和AOP（面向切面程式設計）功能，為應用系統提供宣告式的安全訪問控制功能，減少了為企業系統安全控制編寫大量重複程式碼的工作。

退出原理

1. 清除Cookie
2. 清除當前使用者的remember-me記錄
3. 使當前session失效
4. 清空當前的SecurityContext
5. 重定向到登入介面

Spring Security的退出請求（預設為/logout）由LogoutFilter過濾器攔截處理。

退出的實現

1. 主頁中新增退出連結

<a href="/signOut">退出</a>
複製程式碼

2. 配置MerryyouSecurityConfig

......
				.and()
                .logout()
                .logoutUrl("/signOut")//自定義退出的地址
                .logoutSuccessUrl("/register")//退出之後跳轉到註冊頁面
                .deleteCookies("JSESSIONID")//刪除當前的JSESSIONID
                .and()
......
複製程式碼

效果如下

原始碼分析

LogoutFilter#doFilter

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
			throws IOException, ServletException {
		HttpServletRequest request = (HttpServletRequest) req;
		HttpServletResponse response = (HttpServletResponse) res;
		//#1.匹配到/logout請求
		if (requiresLogout(request, response)) {
			Authentication auth = SecurityContextHolder.getContext().getAuthentication();

			if (logger.isDebugEnabled()) {
				logger.debug("Logging out user '" + auth
						+ "' and transferring to logout destination");
			}
			//#2.處理1-4步
			this.handler.logout(request, response, auth);
			//#3.重定向到註冊介面
			logoutSuccessHandler.onLogoutSuccess(request, response, auth);

			return;
		}

		chain.doFilter(request, response);
	}
複製程式碼

1. 匹配當前攔截的請求
2. 處理 清空Cookie、remember-me、session和SecurityContext
3. 重定向到登入介面

handler

1. CookieClearingLogoutHandler清空Cookie
2. PersistentTokenBasedRememberMeServices清空remember-me
3. SecurityContextLogoutHandler 使當前session無效,清空當前的SecurityContext

CookieClearingLogoutHandler#logout

public void logout(HttpServletRequest request, HttpServletResponse response,
			Authentication authentication) {
		for (String cookieName : cookiesToClear) {
			//# 1.Cookie置為null
			Cookie cookie = new Cookie(cookieName, null);
			String cookiePath = request.getContextPath();
			if (!StringUtils.hasLength(cookiePath)) {
				cookiePath = "/";
			}
			cookie.setPath(cookiePath);
			cookie.setMaxAge(0);
			response.addCookie(cookie);
		}
	}
複製程式碼

1. Cookie置為null

PersistentTokenBasedRememberMeServices#logout

public void logout(HttpServletRequest request, HttpServletResponse response,
			Authentication authentication) {
		super.logout(request, response, authentication);

		if (authentication != null) {
			//#1.清空persistent_logins表中記錄
			tokenRepository.removeUserTokens(authentication.getName());
		}
	}
複製程式碼

1. 清空persistent_logins表中記錄

SecurityContextLogoutHandler#logout

public void logout(HttpServletRequest request, HttpServletResponse response,
			Authentication authentication) {
		Assert.notNull(request, "HttpServletRequest required");
		if (invalidateHttpSession) {
			HttpSession session = request.getSession(false);
			if (session != null) {
				logger.debug("Invalidating session: " + session.getId());
				//#1.使當前session失效
				session.invalidate();
			}
		}

		if (clearAuthentication) {
			SecurityContext context = SecurityContextHolder.getContext();
			//#2.清空當前的`SecurityContext`
			context.setAuthentication(null);
		}

		SecurityContextHolder.clearContext();
	}
複製程式碼

1. 使當前session失效
2. 清空當前的SecurityContext

AbstractAuthenticationTargetUrlRequestHandler#handle

	protected void handle(HttpServletRequest request, HttpServletResponse response,
			Authentication authentication) throws IOException, ServletException {
		//#1.獲取配置的跳轉地址
		String targetUrl = determineTargetUrl(request, response);

		if (response.isCommitted()) {
			logger.debug("Response has already been committed. Unable to redirect to "
					+ targetUrl);
			return;
		}
		//#2.跳轉請求
		redirectStrategy.sendRedirect(request, response, targetUrl);
	}
複製程式碼

1. 獲取配置的跳轉地址
2. 跳轉請求

程式碼下載

從我的 github 中下載，github.com/longfeizhen…