java 如何使用 Spring Security 创建注销?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/16222841/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How do I create a logout with Spring Security?
提问by SJS
I am trying to find a way just to setup a URL that will logout my user from the system. this is only for testing. Right now we are using the default login page in spring secuirty
我试图找到一种方法来设置一个 URL,该 URL 将从系统中注销我的用户。这仅用于测试。现在我们正在使用 spring 安全中的默认登录页面
here is my spring-secuirty.xml
这是我的 spring-secuirty.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<global-method-security pre-post-annotations="enabled" />
<http use-expressions="true">
<intercept-url access="hasRole('ROLE_VERIFIED_MEMBER')" pattern="/ask-union**" />
<intercept-url access="hasRole('ROLE_VERIFIED_MEMBER')" pattern="/ask-welfare**" />
<intercept-url pattern='/*' access='permitAll' />
<form-login default-target-url="/ask-union" />
<logout logout-success-url="/" />
<session-management session-fixation-protection="newSession">
<concurrency-control max-sessions="1"/>
</session-management>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="[email protected]" password="testing" authorities="ROLE_VERIFIED_MEMBER" />
ser-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
回答by rhinds
Add this line to your config
将此行添加到您的配置中
<logout logout-url="/sign-out"/>
Then if you have a link to that URL, then it will sign you out
然后,如果您有指向该 URL 的链接,它就会将您注销
(Add it just below your logout success config)
(将其添加到您的注销成功配置下方)
回答by Jeevan Patil
I am a bit late on this. But answer may help others.
我在这方面有点晚了。但答案可能会帮助其他人。
Use following code. logout-success-url is the URL you want take user after logging out.
使用以下代码。logout-success-url 是您要在注销后获取用户的 URL。
<http auto-config="true" use-expressions="true" access-denied-page="/denied">
<logout invalidate-session="true" logout-success-url="/landing" delete-cookies="JSESSIONID" />
</http>
回答by Jaymes Bearden
Late to the party, but for future reference -- if you are interested in seeing how the security filters are instantiated and configured from XML, take a look at the following package:
迟到了,但为了将来参考——如果您有兴趣了解如何从 XML 实例化和配置安全过滤器,请查看以下包:
org.springframework.security.config.annotation.web.configurers
For the logout filter configuration, this will be the LogoutConfigurer class. If you review the LogoutConfigurer.createLogoutFilter()method, you'll see how the default Logout filter is created. This implies that you can do the following in an @Configuration class:
对于注销过滤器配置,这将是 LogoutConfigurer 类。如果您查看LogoutConfigurer.createLogoutFilter()方法,您将看到默认的注销过滤器是如何创建的。这意味着您可以在 @Configuration 类中执行以下操作:
@Bean
public LogoutFilter logoutFilter() {
// NOTE: See org.springframework.security.config.annotation.web.configurers.LogoutConfigurer
// for details on setting up a LogoutFilter
SecurityContextLogoutHandler securityContextLogoutHandler = new SecurityContextLogoutHandler();
securityContextLogoutHandler.setInvalidateHttpSession(true);
LogoutFilter logoutFilter = new LogoutFilter("/", securityContextLogoutHandler);
logoutFilter.setLogoutRequestMatcher(new AntPathRequestMatcher("/logout"));
return logoutFilter;
}
If you have that, you can then either configure further by beans or have that bean picked up automatically since its method name is logoutFilter()
如果有,那么您可以通过 bean 进一步配置或自动选择该 bean,因为它的方法名称是logoutFilter()
回答by cabbagery
Double-check the URL you're using -- the absolute path should be your-domain/projectPath/sign-out, per SJS's example. If the relevant portion of your spring-security.xml file looks like the following, it shouldwork:
仔细检查您正在使用的 URL -your-domain/projectPath/sign-out根据 SJS 的示例,绝对路径应该是。如果 spring-security.xml 文件的相关部分如下所示,它应该可以工作:
<http use-expressions="true">
. . .
<logout
logout-success-url="/"
logout-url="/sign-out"/>
If you're able to authenticate, then simply browse to that path, and it should log you out. If it still doesn't try experimenting with the intermediary subdirectories specified in the URL, i.e. your-domain/projectPath/some-subdirectory/log-out.
如果您能够进行身份验证,那么只需浏览到该路径,它就会将您注销。如果它仍然不尝试使用 URL 中指定的中间子目录,即your-domain/projectPath/some-subdirectory/log-out.
Are you able to authenticate? It may not just be the logout aspect that's failing...
你能认证吗?失败的可能不仅仅是注销方面......
