标签:http Spring LogoutFilter request authentication 源码 logout add response
负责处理登出相关逻辑,默认url映射是/logout
org.springframework.security.config.annotation.web.configurers.LogoutConfigurer 初始化
默认初始化处https://www.cnblogs.com/LQBlog/p/15508248.html#autoid-12-0-0
private void applyDefaultConfiguration(HttpSecurity http) throws Exception {
//http本质也是build 这里都是配置默认的config configure add CsrfConfigurer
http.csrf();
//默认增加一个WebAsyncManagerIntegrationFilter
http.addFilter(new WebAsyncManagerIntegrationFilter());
//configures add ExceptionHandlingConfigurer
http.exceptionHandling();
//configures add HeadersConfigurer
http.headers();
//configures add SessionManagementConfigurer
http.sessionManagement();
//configure add SecurityContextConfigurer
http.securityContext();
//configure add RequestCacheConfigurer
http.requestCache();
///configure add AnonymousConfigurer
http.anonymous();
///configure add ServletApiConfigurer
http.servletApi();
//configure DefaultLoginPageConfigurer
http.apply(new DefaultLoginPageConfigurer<>());
//configure LogoutConfigurer
http.logout();
}
通过http.logout().addLogoutHandler() 可以自定义handler
LogoutFilter
private void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
throws IOException, ServletException {
//匹配是否能够处理 默认是/logout
if (requiresLogout(request, response)) {
//从SecurityContextHolder 获得Authentication信息
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (this.logger.isDebugEnabled()) {
this.logger.debug(LogMessage.format("Logging out [%s]", auth));
}
/**
* 调用CompositeLogoutHandler 他也实现了LogoutHandler 他只是一个统一的管理器
* 内部循环调用LogoutHandler
* 默认有三种
* PersistentTokenBasedRememberMeServices <1>
* SecurityContextLogoutHandler <2>
* LogoutSuccessEventPublishingLogoutHandler<3>
*/
this.handler.logout(request, response, auth);
//处理登出成功的SimpleUrlLogoutSuccessHandler 比如重定向到登录页
this.logoutSuccessHandler.onLogoutSuccess(request, response, auth);
return;
}
chain.doFilter(request, response);
}
<1>
org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices#logout
@Override
public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
//清除cookile
super.logout(request, response, authentication);
if (authentication != null) {
//删除token
this.tokenRepository.removeUserTokens(authentication.getName());
}
}
<2>
org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler#logout
@Override
public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
Assert.notNull(request, "HttpServletRequest required");
if (this.invalidateHttpSession) {
HttpSession session = request.getSession(false);
if (session != null) {
//清空session
session.invalidate();
if (this.logger.isDebugEnabled()) {
this.logger.debug(LogMessage.format("Invalidated session %s", session.getId()));
}
}
}
if (this.clearAuthentication) {
//清空
SecurityContext context = SecurityContextHolder.getContext();
context.setAuthentication(null);
}
//清空
SecurityContextHolder.clearContext();
}
<3>
发布一个spring的事件我们可以监听这个事件 知道某个用户登出了 参考:https://www.cnblogs.com/LQBlog/p/13878553.html#_label5
org.springframework.security.web.authentication.logout.LogoutSuccessEventPublishingLogoutHandler#logout
@Override
public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
if (this.eventPublisher == null) {
return;
}
if (authentication == null) {
return;
}
this.eventPublisher.publishEvent(new LogoutSuccessEvent(authentication));
}
标签:http,Spring,LogoutFilter,request,authentication,源码,logout,add,response 来源: https://www.cnblogs.com/LQBlog/p/15533703.html
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。