java Spring security - 禁用注销重定向
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/36354405/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Spring security - Disable logout redirect
提问by uncallable
I'm using spring security with REST, and I'm using the URL (/logout) as an endpoint for my logout method. But after calling this method, it redirect me to (/login?logout), I know this is the spring logOutSuccessUrl. And I want to get rid of the redirection. This is my code:
我在 REST 中使用 spring security,并且我使用 URL ( /logout) 作为我的注销方法的端点。但是在调用这个方法之后,它把我重定向到 ( /login?logout),我知道这是 spring logOutSuccessUrl。我想摆脱重定向。这是我的代码:
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/login").permitAll()
.anyRequest().fullyAuthenticated()
.and().requiresChannel().anyRequest().requiresSecure()
.and().httpBasic().disable().logout()
.disable()
// .logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler(HttpStatus.OK))
.csrf().disable();
}
I tried to use HttpStatusReturningLogoutSuccessHandlerbut it didn't work, and even setting logoutSuccessUrl()doesn't change anything.
我尝试使用HttpStatusReturningLogoutSuccessHandler但它没有用,甚至设置logoutSuccessUrl()也没有改变任何东西。
Do you know how can I disable this redirection?
您知道如何禁用此重定向吗?
回答by Tahir Akhtar
Following code works for me (notice that it doesn't have logout().disable())
以下代码对我有用(注意它没有logout().disable())
http.logout().permitAll();
http.logout().logoutSuccessHandler((new HttpStatusReturningLogoutSuccessHandler(HttpStatus.OK)));
回答by Sebastian
So since there is no accepted answer yet, i post my solution, which worked for me:
因此,由于还没有公认的答案,我发布了对我有用的解决方案:
.logout()
.logoutUrl("/api/user/logout")
.permitAll()
.logoutSuccessHandler((httpServletRequest, httpServletResponse, authentication) -> {
httpServletResponse.setStatus(HttpServletResponse.SC_OK);
})
.and()
Just return a clean HTTP_OK (200) after successful logout - spring won't redirect you in this case
成功注销后只返回一个干净的 HTTP_OK (200) - 在这种情况下,spring 不会重定向你
回答by Ahmad
Use this method:
使用这个方法:
.logout().logoutSuccessUrl("enter address here where you want to go after logout")
回答by Younes
Foo those who use XML config, here is the equivalent snippet for the one given by Tahir Akhtar.
Foo 那些使用 XML 配置的人,这里是Tahir Akhtar给出的等效代码段。
Within <http>element, configure the <logout>element as follows:
在<http>元素中,<logout>按如下方式配置元素:
<logout
logout-url = "/some/path/for/logout"
invalidate-session = "true"
delete-cookies = "JSESSIONID"
success-handler-ref = "httpStatusReturningLogoutSuccessHandler"
/>
And define httpStatusReturningLogoutSuccessHandlerbean as follows:
并定义httpStatusReturningLogoutSuccessHandlerbean如下:
<bean
id = "httpStatusReturningLogoutSuccessHandler"
class = "org.springframework.security.web.authentication.logout.HttpStatusReturningLogoutSuccessHandler"
/>
回答by user3888170
You might want to try this
你可能想试试这个
http.logout().logoutRequestMatcher(new AntPathRequestMatcher("/thisistomisleadlogoutfilter"));
http.logout().logoutRequestMatcher(new AntPathRequestMatcher("/thisistomisleadlogoutfilter"));
This effectively redirects /thisistomisleadlogoutfilter to login?logout. As such you should be able to use /logout instead
这有效地将 /thisistomisleadlogoutfilter 重定向到 login?logout。因此,您应该可以使用 /logout 代替
回答by Aura
for logoutSuccessXXX() action, do not forget to add permitAll() since the cookie is cleared after the logout() method is called. So my sample solution is:
对于 logoutSuccessXXX() 操作,不要忘记添加 permitAll() 因为在调用 logout() 方法后会清除 cookie。所以我的示例解决方案是:
http
......
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/logoutSuccess")
**.permitAll()**
回答by Kathryn Newbould
I used this:
我用过这个:
@ResponseStatus(HttpStatus.NO_CONTENT)
@PostMapping(value = "/oauth/revoke")
public void revokeToken(Authentication authentication) {
ofNullable(authentication).ifPresent(auth -> {
OAuth2AccessToken accessToken = tokenStore.getAccessToken((OAuth2Authentication) auth);
ofNullable(accessToken).ifPresent(oAuth2AccessToken -> {
ofNullable(oAuth2AccessToken.getRefreshToken()).ifPresent(tokenStore::removeRefreshToken);
tokenStore.removeAccessToken(accessToken);
});
});
}
Which worked perfectly. I recommend doing this over the logout() override primarily because it (well, it works, but other than that) preserves the oauth2 basic flow (/oauth/revoke) instead of using /logout or similar.
哪个工作得很好。我建议在 logout() 覆盖上执行此操作,主要是因为它(好吧,它可以工作,但除此之外)保留了 oauth2 基本流程 (/oauth/revoke) 而不是使用 /logout 或类似的。
Hope that helps!
希望有帮助!
