我对Spring Security有问题,我尝试在Spring Security中注销,但似乎不起作用。我请求注销url,但session和auth不清除。
这是一个Spring Cloud应用程序,运行Spring Cloud Finchley. RELEASE。使用zuul、Spring security和oaut2。
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/login","/login.html").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.successHandler(loginSuccessHandler)
.failureHandler(loginFailHandler)
.permitAll()
.and()
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessHandler(logoutHandler)
.clearAuthentication(true)
.deleteCookies("JSESSIONID")
.invalidateHttpSession(true);
http .cors().and().csrf().disable();
}
我预计请求注销url后,身份验证和会话无效
在您的logoutHandler中使用以下代码。
@Service
@Scope(scopeName = BeanDefinition.SCOPE_SINGLETON)
@Transactional(readOnly=false)
public class CustomLogoutSuccessHandler implements LogoutSuccessHandler{
@Override
public void onLogoutSuccess(HttpServletRequest httpServletRequest,
HttpServletResponse httpServletResponse, Authentication authentication)
throws IOException, ServletException {
if (authentication != null && authentication.getDetails() != null) {
try {
httpServletRequest.getSession().invalidate();
} catch (Exception e) {
e.printStackTrace();
}
}
httpServletResponse.setStatus(HttpServletResponse.SC_OK);
httpServletResponse.sendRedirect("/");
}
}
