退出原理 清除Cookie 清除当前用户的remember-me记录 使当前session失效 清空当前的SecurityContext 重定向到登录界面
Spring Security的退出请求(默认为 /logout )由 LogoutFilter 过滤器拦截处理。
退出的实现 主页中添加退出链接 <a href="/signOut">退出</a> 复制代码 配置MerryyouSecurityConfig ...... .and() .logout() .logoutUrl("/signOut")//自定义退出的地址 .logoutSuccessUrl("/register")//退出之后跳转到注册页面 .deleteCookies("JSESSIONID")//删除当前的JSESSIONID .and() ...... 复制代码效果如下
源码分析 LogoutFilter#doFilter public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) res; //#1.匹配到/logout请求 if (requiresLogout(request, response)) { Authentication auth = SecurityContextHolder.getContext().getAuthentication(); if (logger.isDebugEnabled()) { logger.debug("Logging out user '" + auth + "' and transferring to logout destination"); } //#2.处理1-4步 this.handler.logout(request, response, auth); //#3.重定向到注册界面 logoutSuccessHandler.onLogoutSuccess(request, response, auth); return; } chain.doFilter(request, response); } 复制代码 匹配当前拦截的请求 处理 清空Cookie、remember-me、session和SecurityContext 重定向到登录界面 handler
CookieClearingLogoutHandler 清空Cookie PersistentTokenBasedRememberMeServices 清空 remember-me SecurityContextLogoutHandler 使当前 session 无效,清空当前的 SecurityContext CookieClearingLogoutHandler#logout
Cookie置为null
public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) { for (String cookieName : cookiesToClear) { //# 1.Cookie置为null Cookie cookie = new Cookie(cookieName, null); String cookiePath = request.getContextPath(); if (!StringUtils.hasLength(cookiePath)) { cookiePath = "/"; } cookie.setPath(cookiePath); cookie.setMaxAge(0); response.addCookie(cookie); } } 复制代码 PersistentTokenBasedRememberMeServices#logout清空persistent_logins表中记录
public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) { super.logout(request, response, authentication); if (authentication != null) { //#1.清空persistent_logins表中记录 tokenRepository.removeUserTokens(authentication.getName()); } } 复制代码 SecurityContextLogoutHandler#logout 使当前session失效 清空当前的SecurityContext public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) { Assert.notNull(request, "HttpServletRequest required"); if (invalidateHttpSession) { HttpSession session = request.getSession(false); if (session != null) { logger.debug("Invalidating session: " + session.getId()); //#1.使当前session失效 session.invalidate(); } } if (clearAuthentication) { SecurityContext context = SecurityContextHolder.getContext(); //#2.清空当前的`SecurityContext` context.setAuthentication(null); } SecurityContextHolder.clearContext(); } 复制代码 AbstractAuthenticationTargetUrlRequestHandler#handle 获取配置的跳转地址 跳转请求protected void handle(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException { //#1.获取配置的跳转地址 String targetUrl = determineTargetUrl(request, response); if (response.isCommitted()) { logger.debug("Response has already been committed. Unable to redirect to " + targetUrl); return; } //#2.跳转请求 redirectStrategy.sendRedirect(request, response, targetUrl); } 复制代码