内容简介:Spring Security源码分析八:Spring Security 退出
Spring Security是一个能够为基于Spring的企业应用系统提供声明式的安全访问控制解决方案的安全框架。它提供了一组可以在Spring应用上下文中配置的Bean,充分利用了Spring IoC,DI(控制反转Inversion of Control ,DI:Dependency Injection 依赖注入)和AOP(面向切面编程)功能,为应用系统提供声明式的安全访问控制功能,减少了为企业系统安全控制编写大量重复代码的工作。
退出原理
-
清除
Cookie -
清除当前用户的
remember-me记录 -
使当前
session失效 -
清空当前的
SecurityContext - 重定向到登录界面
Spring Security
的退出请求(默认为 /logout
)由LogoutFilter过滤器拦截处理。
退出的实现
- 主页中添加退出链接
<a href="/signOut">退出</a>
......
.and()
.logout()
.logoutUrl("/signOut")//自定义退出的地址
.logoutSuccessUrl("/register")//退出之后跳转到注册页面
.deleteCookies("JSESSIONID")//删除当前的JSESSIONID
.and()
......
效果如下
源码分析
LogoutFilter#doFilter
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
//#1.匹配到/logout请求
if (requiresLogout(request, response)) {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (logger.isDebugEnabled()) {
logger.debug("Logging out user '" + auth
+ "' and transferring to logout destination");
}
//#2.处理1-4步
this.handler.logout(request, response, auth);
//#3.重定向到注册界面
logoutSuccessHandler.onLogoutSuccess(request, response, auth);
return;
}
chain.doFilter(request, response);
}
- 匹配当前拦截的请求
-
处理 清空
Cookie、remember-me、session和SecurityContext - 重定向到登录界面
handler
-
CookieClearingLogoutHandler清空Cookie -
PersistentTokenBasedRememberMeServices清空remember-me -
SecurityContextLogoutHandler使当前session无效,清空当前的SecurityContext
CookieClearingLogoutHandler#logout
public void logout(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) {
for (String cookieName : cookiesToClear) {
//# 1.Cookie置为null
Cookie cookie = new Cookie(cookieName, null);
String cookiePath = request.getContextPath();
if (!StringUtils.hasLength(cookiePath)) {
cookiePath = "/";
}
cookie.setPath(cookiePath);
cookie.setMaxAge(0);
response.addCookie(cookie);
}
}
-
Cookie置为null
PersistentTokenBasedRememberMeServices#logout
public void logout(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) {
super.logout(request, response, authentication);
if (authentication != null) {
//#1.清空persistent_logins表中记录
tokenRepository.removeUserTokens(authentication.getName());
}
}
- 清空persistent_logins表中记录
SecurityContextLogoutHandler#logout
public void logout(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) {
Assert.notNull(request, "HttpServletRequest required");
if (invalidateHttpSession) {
HttpSession session = request.getSession(false);
if (session != null) {
logger.debug("Invalidating session: " + session.getId());
//#1.使当前session失效
session.invalidate();
}
}
if (clearAuthentication) {
SecurityContext context = SecurityContextHolder.getContext();
//#2.清空当前的`SecurityContext`
context.setAuthentication(null);
}
SecurityContextHolder.clearContext();
}
- 使当前session失效
-
清空当前的
SecurityContext
AbstractAuthenticationTargetUrlRequestHandler#handle
protected void handle(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) throws IOException, ServletException {
//#1.获取配置的跳转地址
String targetUrl = determineTargetUrl(request, response);
if (response.isCommitted()) {
logger.debug("Response has already been committed. Unable to redirect to "
+ targetUrl);
return;
}
//#2.跳转请求
redirectStrategy.sendRedirect(request, response, targetUrl);
}
- 获取配置的跳转地址
- 跳转请求
以上就是本文的全部内容,希望本文的内容对大家的学习或者工作能带来一定的帮助,也希望大家多多支持 码农网
猜你喜欢:
- JAVA线程池原理源码解析—为什么启动一个线程池,提交一个任务后,Main方法不会退出?
- JVM安全退出
- SpringBoot优雅退出
- 一次 JVM 进程退出分析
- iOS 登录、退出流程整理
- C# 获取进程退出代码
本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。
High Performance Python
Micha Gorelick、Ian Ozsvald / O'Reilly Media / 2014-9-10 / USD 39.99
If you're an experienced Python programmer, High Performance Python will guide you through the various routes of code optimization. You'll learn how to use smarter algorithms and leverage peripheral t......一起来看看 《High Performance Python》 这本书的介绍吧!
