退出原理
- 清除Cookie
- 清除當前使用者的remember-me記錄
- 使當前session失效
- 清空當前的SecurityContext
- 重定向到登入介面
Spring Security的退出請求(預設為/logout)由LogoutFilter過濾器攔截處理。
退出的實現
- 主頁中新增退出連結
<a href="/signOut">退出</a> 複製程式碼 - 配置MerryyouSecurityConfig
...... .and() .logout() .logoutUrl("/signOut")//自定義退出的地址 .logoutSuccessUrl("/register")//退出之後跳轉到註冊頁面 .deleteCookies("JSESSIONID")//刪除當前的JSESSIONID .and() ...... 複製程式碼
效果如下
原始碼分析
LogoutFilter#doFilter
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
//#1.匹配到/logout請求
if (requiresLogout(request, response)) {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (logger.isDebugEnabled()) {
logger.debug("Logging out user '" + auth
+ "' and transferring to logout destination");
}
//#2.處理1-4步
this.handler.logout(request, response, auth);
//#3.重定向到註冊介面
logoutSuccessHandler.onLogoutSuccess(request, response, auth);
return;
}
chain.doFilter(request, response);
}
複製程式碼- 匹配當前攔截的請求
- 處理 清空Cookie、remember-me、session和SecurityContext
- 重定向到登入介面
handler
CookieClearingLogoutHandler清空CookiePersistentTokenBasedRememberMeServices清空remember-meSecurityContextLogoutHandler使當前session無效,清空當前的SecurityContext
CookieClearingLogoutHandler#logout
Cookie置為null
public void logout(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) {
for (String cookieName : cookiesToClear) {
//# 1.Cookie置為null
Cookie cookie = new Cookie(cookieName, null);
String cookiePath = request.getContextPath();
if (!StringUtils.hasLength(cookiePath)) {
cookiePath = "/";
}
cookie.setPath(cookiePath);
cookie.setMaxAge(0);
response.addCookie(cookie);
}
}
複製程式碼PersistentTokenBasedRememberMeServices#logout
清空persistent_logins表中記錄
public void logout(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) {
super.logout(request, response, authentication);
if (authentication != null) {
//#1.清空persistent_logins表中記錄
tokenRepository.removeUserTokens(authentication.getName());
}
}
複製程式碼SecurityContextLogoutHandler#logout
- 使當前session失效
- 清空當前的SecurityContext
public void logout(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) {
Assert.notNull(request, "HttpServletRequest required");
if (invalidateHttpSession) {
HttpSession session = request.getSession(false);
if (session != null) {
logger.debug("Invalidating session: " + session.getId());
//#1.使當前session失效
session.invalidate();
}
}
if (clearAuthentication) {
SecurityContext context = SecurityContextHolder.getContext();
//#2.清空當前的`SecurityContext`
context.setAuthentication(null);
}
SecurityContextHolder.clearContext();
}
複製程式碼AbstractAuthenticationTargetUrlRequestHandler#handle
- 獲取配置的跳轉地址
- 跳轉請求
protected void handle(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) throws IOException, ServletException {
//#1.獲取配置的跳轉地址
String targetUrl = determineTargetUrl(request, response);
if (response.isCommitted()) {
logger.debug("Response has already been committed. Unable to redirect to "
+ targetUrl);
return;
}
//#2.跳轉請求
redirectStrategy.sendRedirect(request, response, targetUrl);
}
複製程式碼程式碼下載
從我的 github 中下載,github.com/longfeizhen…