Spring Security 是一个能够为基于 Spring 的企业应用系统提供声明式的安全访问控制解决方案的安全框架.它提供了一组可以在 Spring 应用上下文中配置的 Bean,充分利用了 Spring IoC,DI(控制反转 Inversion of Control ,DI:Dependency Injection 依赖注入)和 AOP(面向切面编程)功能,为应用系统提供声明式的安全访问控制功能,减少了为企业系统安全控制编写大量重复代码的工作.
退出原理
清除 Cookie
清除当前用户的 remember-me 记录
使当前 session 失效
清空当前的 SecurityContext
重定向到登录界面
Spring Security 的退出请求(默认为 / logout)由 LogoutFilter 过滤器拦截处理.
退出的实现
主页中添加退出链接
<a href="/signOut">退出</a>
配置 MerryyouSecurityConfig
......
.and()
.logout()
.logoutUrl("/signOut")//自定义退出的地址
.logoutSuccessUrl("/register")//退出之后跳转到注册页面
.deleteCookies("JSESSIONID")//删除当前的JSESSIONID
.and()
......
效果如下
user-gold-cdn.xitu.io/2018/1/18/1...
源码分析
LogoutFilter#doFilter public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException,
ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
//#1.匹配到/logout请求
if (requiresLogout(request, response)) {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (logger.isDebugEnabled()) {
logger.debug("Logging out user '" + auth + "' and transferring to logout destination");
}
//#2.处理1-4步
this.handler.logout(request, response, auth);
//#3.重定向到注册界面
logoutSuccessHandler.onLogoutSuccess(request, response, auth);
return;
}
chain.doFilter(request, response);
}
匹配当前拦截的请求
处理 清空 Cookie,remember-me,session 和 SecurityContext
重定向到登录界面
handler
user-gold-cdn.xitu.io/2018/1/18/1...
CookieClearingLogoutHandler
清空 Cookie
PersistentTokenBasedRememberMeServices
清空 remember-me
SecurityContextLogoutHandler
使当前 session 无效, 清空当前的 SecurityContext
CookieClearingLogoutHandler#logout public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
for (String cookieName: cookiesToClear) {
//# 1.Cookie置为null
Cookie cookie = new Cookie(cookieName, null);
String cookiePath = request.getContextPath();
if (!StringUtils.hasLength(cookiePath)) {
cookiePath = "/";
}
cookie.setPath(cookiePath);
cookie.setMaxAge(0);
response.addCookie(cookie);
}
}
Cookie 置为 null
PersistentTokenBasedRememberMeServices#logout public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
super.logout(request, response, authentication);
if (authentication != null) {
//#1.清空persistent_logins表中记录
tokenRepository.removeUserTokens(authentication.getName());
}
}
清空 persistent_logins 表中记录
SecurityContextLogoutHandler#logout public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
Assert.notNull(request, "HttpServletRequest required");
if (invalidateHttpSession) {
HttpSession session = request.getSession(false);
if (session != null) {
logger.debug("Invalidating session: " + session.getId());
//#1.使当前session失效
session.invalidate();
}
}
if (clearAuthentication) {
SecurityContext context = SecurityContextHolder.getContext();
//#2.清空当前的`SecurityContext`
context.setAuthentication(null);
}
SecurityContextHolder.clearContext();
}
使当前 session 失效
清空当前的 SecurityContext
AbstractAuthenticationTargetUrlRequestHandler#handle protected void handle(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException,
ServletException {
//#1.获取配置的跳转地址
String targetUrl = determineTargetUrl(request, response);
if (response.isCommitted()) {
logger.debug("Response has already been committed. Unable to redirect to " + targetUrl);
return;
}
//#2.跳转请求
redirectStrategy.sendRedirect(request, response, targetUrl);
}
获取配置的跳转地址
跳转请求
代码下载
从我的 github 中下载, github.com/longfeizhen...
来源: https://juejin.im/post/5a606e766fb9a01cad7c38fe