内容简介:Spring Security源码分析八:Spring Security 退出
Spring Security是一个能够为基于Spring的企业应用系统提供声明式的安全访问控制解决方案的安全框架。它提供了一组可以在Spring应用上下文中配置的Bean,充分利用了Spring IoC,DI(控制反转Inversion of Control ,DI:Dependency Injection 依赖注入)和AOP(面向切面编程)功能,为应用系统提供声明式的安全访问控制功能,减少了为企业系统安全控制编写大量重复代码的工作。
退出原理
-
清除
Cookie
-
清除当前用户的
remember-me
记录 -
使当前
session
失效 -
清空当前的
SecurityContext
- 重定向到登录界面
Spring Security
的退出请求(默认为 /logout
)由LogoutFilter过滤器拦截处理。
退出的实现
- 主页中添加退出链接
<a href="/signOut">退出</a>
...... .and() .logout() .logoutUrl("/signOut")//自定义退出的地址 .logoutSuccessUrl("/register")//退出之后跳转到注册页面 .deleteCookies("JSESSIONID")//删除当前的JSESSIONID .and() ......
效果如下
源码分析
LogoutFilter#doFilter
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) res; //#1.匹配到/logout请求 if (requiresLogout(request, response)) { Authentication auth = SecurityContextHolder.getContext().getAuthentication(); if (logger.isDebugEnabled()) { logger.debug("Logging out user '" + auth + "' and transferring to logout destination"); } //#2.处理1-4步 this.handler.logout(request, response, auth); //#3.重定向到注册界面 logoutSuccessHandler.onLogoutSuccess(request, response, auth); return; } chain.doFilter(request, response); }
- 匹配当前拦截的请求
-
处理 清空
Cookie
、remember-me
、session
和SecurityContext
- 重定向到登录界面
handler
-
CookieClearingLogoutHandler
清空Cookie
-
PersistentTokenBasedRememberMeServices
清空remember-me
-
SecurityContextLogoutHandler
使当前session
无效,清空当前的SecurityContext
CookieClearingLogoutHandler#logout
public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) { for (String cookieName : cookiesToClear) { //# 1.Cookie置为null Cookie cookie = new Cookie(cookieName, null); String cookiePath = request.getContextPath(); if (!StringUtils.hasLength(cookiePath)) { cookiePath = "/"; } cookie.setPath(cookiePath); cookie.setMaxAge(0); response.addCookie(cookie); } }
-
Cookie
置为null
PersistentTokenBasedRememberMeServices#logout
public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) { super.logout(request, response, authentication); if (authentication != null) { //#1.清空persistent_logins表中记录 tokenRepository.removeUserTokens(authentication.getName()); } }
- 清空persistent_logins表中记录
SecurityContextLogoutHandler#logout
public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) { Assert.notNull(request, "HttpServletRequest required"); if (invalidateHttpSession) { HttpSession session = request.getSession(false); if (session != null) { logger.debug("Invalidating session: " + session.getId()); //#1.使当前session失效 session.invalidate(); } } if (clearAuthentication) { SecurityContext context = SecurityContextHolder.getContext(); //#2.清空当前的`SecurityContext` context.setAuthentication(null); } SecurityContextHolder.clearContext(); }
- 使当前session失效
-
清空当前的
SecurityContext
AbstractAuthenticationTargetUrlRequestHandler#handle
protected void handle(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException { //#1.获取配置的跳转地址 String targetUrl = determineTargetUrl(request, response); if (response.isCommitted()) { logger.debug("Response has already been committed. Unable to redirect to " + targetUrl); return; } //#2.跳转请求 redirectStrategy.sendRedirect(request, response, targetUrl); }
- 获取配置的跳转地址
- 跳转请求
以上就是本文的全部内容,希望本文的内容对大家的学习或者工作能带来一定的帮助,也希望大家多多支持 码农网
猜你喜欢:- JAVA线程池原理源码解析—为什么启动一个线程池,提交一个任务后,Main方法不会退出?
- JVM安全退出
- SpringBoot优雅退出
- 一次 JVM 进程退出分析
- iOS 登录、退出流程整理
- C# 获取进程退出代码
本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。