我在 spring security 中遇到问题,我尝试在 spring security 中注销,但似乎不起作用。我请求注销 url,但 session 和身份验证不清除。
这是一个 Spring Cloud 应用程序,运行 Spring Cloud Finchley.RELEASE。使用 zuul、spring security 和 oauth2。
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/login","/login.html").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.successHandler(loginSuccessHandler)
.failureHandler(loginFailHandler)
.permitAll()
.and()
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessHandler(logoutHandler)
.clearAuthentication(true)
.deleteCookies("JSESSIONID")
.invalidateHttpSession(true);
http .cors().and().csrf().disable();
}
我期望在请求注销网址后,身份验证和 session 无效
最佳答案
在您的 logoutHandler 中使用以下代码。
@Service
@Scope(scopeName = BeanDefinition.SCOPE_SINGLETON)
@Transactional(readOnly=false)
public class CustomLogoutSuccessHandler implements LogoutSuccessHandler{
@Override
public void onLogoutSuccess(HttpServletRequest httpServletRequest,
HttpServletResponse httpServletResponse, Authentication authentication)
throws IOException, ServletException {
if (authentication != null && authentication.getDetails() != null) {
try {
httpServletRequest.getSession().invalidate();
} catch (Exception e) {
e.printStackTrace();
}
}
httpServletResponse.setStatus(HttpServletResponse.SC_OK);
httpServletResponse.sendRedirect("/");
}
}
关于java - 为什么 spring security 注销不起作用?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/57459903/