【问题标题】:spring security customize logout handler春季安全自定义注销处理程序
【发布时间】:2011-03-07 23:29:25
【问题描述】:

如何在 spring-security 中将自己的注销处理程序添加到 LogoutFilter ? 谢谢!

【问题讨论】:

    标签: java spring spring-security


    【解决方案1】:

    您可以像这样使用 java-config 解决方案。

    
    @Configuration
    @EnableWebSecurity
    
    public class SpringSecurity2Config extends WebSecurityConfigurerAdapter {
    
    
        @Override
        protected void configure(HttpSecurity http) throws Exception {
           //you can set other security config by call http.XXX()
    
            http
                    .logout()
                    .addLogoutHandler(new CustomLogoutHandler())
                    .logoutUrl("/logout")
                    .logoutSuccessHandler(...)
                    .permitAll();
    
        }
    
        static class CustomLogoutHandler implements LogoutHandler {
            @Override
            public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
                //...
    
            }
    
        }
    
    }
    

    【讨论】:

      【解决方案2】:

      在 Spring 安全论坛的this post 中查看答案:

      XML 定义:

      <beans:bean id="logoutFilter" class="org.springframework.security.ui.logout.LogoutFilter">
          <custom-filter position="LOGOUT_FILTER"/>
          <beans:constructor-arg index="0" value="/logout.jsp"/>
          <beans:constructor-arg index="1">
              <beans:list>
                  <beans:ref bean="securityContextLogoutHandler"/>
                  <beans:ref bean="myLogoutHandler"/>
              </beans:list>
          </beans:constructor-arg>
      </beans:bean>
      
      <beans:bean id="securityContextLogoutHandler" class="org.springframework.security.ui.logout.SecurityContextLogoutHandler"/>
      
      <beans:bean id="myLogoutHandler" class="com.whatever.CustomLogoutHandler">
          <beans:property name="userCache" ref="userCache"/>
      </beans:bean>
      

      LogoutHandler 类:

      public class CustomLogoutHandler implements LogoutHandler {
          private UserCache userCache;
      
          public void logout(final HttpServletRequest request, final HttpServletResponse response, final Authentication authentication) {
              // ....
          }
      
          @Required
          public void setUserCache(final UserCache userCache) {
              this.userCache = userCache;
          }
      }
      

      【讨论】:

        【解决方案3】:

        以下解决方案对我有用,可能会有所帮助:

        1. 扩展SimpleUrlLogoutSuccessHandler或实现LogoutHandler

          public class LogoutSuccessHandler extends SimpleUrlLogoutSuccessHandler {
          
             // Just for setting the default target URL
             public LogoutSuccessHandler(String defaultTargetURL) {
                  this.setDefaultTargetUrl(defaultTargetURL);
             }
          
             @Override
             public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
          
                  // do whatever you want
                  super.onLogoutSuccess(request, response, authentication);
             }
          }
          
        2. 添加到您的 Spring 安全配置中:

          <security:logout logout-url="/logout" success-handler-ref="logoutSuccessHandler" />
          <bean id="logoutSuccessHandler" class="your.package.name.LogoutSuccessHandler" >
              <constructor-arg value="/putInYourDefaultTargetURLhere" />
          </bean>
          

        【讨论】:

        • 构造函数不是必须的。
        • 他要的是LogoutHandler而不是LogoutSuccessHandler
        • 不需要定义协程,用&lt;beans:property name="defaultTargetUrl" value="/putInYourDefaultTargetURLhere"/&gt;代替&lt;constructor-arg value="/putInYourDefaultTargetURLhere"/&gt;
        【解决方案4】:

        你应该使用&lt;logout&gt;元素的success-handler-ref属性:

        <security:logout invalidate-session="true"
                  success-handler-ref="myLogoutHandler"
                  logout-url="/logout" />
        

        作为替代解决方案,您可以在注销 URL 上配置自己的过滤器。

        【讨论】:

        • myLogoutHandler 必须从哪个类扩展?
        • @Neuquino,你应该实现org.springframework.security.web.authentication.logout.LogoutHandler
        • 不能同时使用 logout-url 和 success-handler-ref。
        • successHandler 和 logoutHandler 是两个不同的东西。有时你想要一个自定义的 LogoutHandler(因为它在 LogoutSuccessHandler 之前运行)
        猜你喜欢
        • 1970-01-01
        • 2015-11-20
        • 2015-10-02
        • 2011-11-11
        • 2016-06-09
        • 2015-07-30
        • 1970-01-01
        • 1970-01-01
        • 2016-11-06
        相关资源
        最近更新 更多