Spring 应用程序中的 Okta 自动注销答案

【问题标题】：Okta automatic logout in Spring ApplicationSpring 应用程序中的 Okta 自动注销
【发布时间】：2019-03-13 00:42:03
【问题描述】：

如何在 Spring 应用程序中配置 okta 自动注销，从而破坏用户会话并在 okta 一侧注销？

【问题讨论】：

您使用的是 SAML 还是 OIDC？
我正在使用 SAML 配置
您使用的是 XML 还是 JavaConfig（又名 SAML DSL）。 SAML DSL 项目支持注销，但我自己没有尝试过。 github.com/spring-projects/spring-security-saml-dsl/issues/30

标签： java spring session okta

【解决方案1】：

结果如下：

1) 在 Spring 应用程序中注册 logoutHandler 并设置会话超时，如下所示： How to log out automatically with Spring Security

2) 您需要从 Spring SimpleUrlLogoutSuccessHandler 扩展，并将所有 SAML 逻辑放入如下代码：

public class SamlAutomaticLogout extends SimpleUrlLogoutSuccessHandler {
/**
 * Name of parameter of HttpRequest indicating whether this call should perform only local logout.
 * In case the value is true no global logout will be invoked.
 */
private static final String LOGOUT_PARAMETER = "local";

@Autowired
private SingleLogoutProfile profile;

@Autowired
private SAMLContextProvider contextProvider;

@Override
public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response,
                            Authentication authentication) throws IOException, ServletException {
    try {
        if (authentication != null && isGlobalLogout(request, authentication)) {

            Assert.isInstanceOf(SAMLCredential.class, authentication.getCredentials(),
                "Authentication object doesn't contain SAML credential, cannot perform global logout");

            // Terminate the session first
            HttpSession session = request.getSession(false);
            SecurityContextHolder.clearContext();
            if (session != null) {
                session.invalidate();
            }

            // Notify session participants using SAML Single Logout profile
            SAMLCredential credential = (SAMLCredential) authentication.getCredentials();
            request.setAttribute(SAMLConstants.LOCAL_ENTITY_ID, credential.getLocalEntityID());
            request.setAttribute(SAMLConstants.PEER_ENTITY_ID, credential.getRemoteEntityID());
            SAMLMessageContext context = contextProvider.getLocalAndPeerEntity(request, response);
            profile.sendLogoutRequest(context, credential);
        }
    } catch (SAMLException e) {
        logger.debug("Error initializing global logout", e);
        throw new ServletException("Error initializing global logout", e);
    } catch (MetadataProviderException e) {
        logger.debug("Error processing metadata", e);
        throw new ServletException("Error processing metadata", e);
    } catch (MessageEncodingException e) {
        logger.debug("Error encoding outgoing message", e);
        throw new ServletException("Error encoding outgoing message", e);
    }

    super.onLogoutSuccess(request, response, authentication);
}

private boolean isGlobalLogout(HttpServletRequest request, Authentication auth) {
    String localLogout = request.getParameter(LOGOUT_PARAMETER);
    return (localLogout == null || !"true".equals(localLogout.toLowerCase().trim()))
        && (auth.getCredentials() instanceof SAMLCredential);
}

}

【讨论】：