Question

我已经实现了自己的LogoutHandler，我正在尝试在spring security xml中配置它，但由于某种原因它没有在注销时被调用（注销成功，但我的代码没有被执行）。 / p>

这是我的security.xml：

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">

<security:http use-expressions="true">
    <security:intercept-url pattern="/logoutSuccess"
        access="permitAll" />

<security:logout logout-url="/logout"
        logout-success-url="/logoutSuccess" />
</security:http>

<bean id="logoutFilter"
    class="org.springframework.security.web.authentication.logout.LogoutFilter">
    <constructor-arg index="0" value="/logoutSuccess" />
    <constructor-arg index="1">
        <list>
            <bean id="securityContextLogoutHandler"
                class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
            <bean id="myLogoutHandler" class="my.package.MyLogoutHandler" />
        </list>
    </constructor-arg>
    <property name="filterProcessesUrl" value="/logout" />
</bean>

MyLogoutHandler - 这是我想要在注销时执行的，但它没有被调用：

import org.springframework.security.web.authentication.logout.LogoutHandler;

public class MyLogoutHandler implements LogoutHandler {

@Override
public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {

    System.out.println("logout!");

    }
}

有谁知道为什么它不起作用？谢谢！

Answer 1

如果您想使用自定义过滤器而不是Spring安全默认注销过滤器，请将此行添加到注销过滤器bean

<security:custom-filter position="LOGOUT_FILTER"/>

或在spring security config中添加此行

 <security:custom-filter ref="logoutFilter" position="LOGOUT_FILTER"/>

<强> Editted

<security:http use-expressions="true">
    <security:intercept-url pattern="/logoutSuccess"
        access="permitAll" />

<security:logout logout-url="/logout"
        logout-success-url="/logoutSuccess" success-handler-ref="myLogoutHandler" />
</security:http>
  <bean id="myLogoutHandler" class="my.package.MyLogoutHandler" />

您也可以实现LogoutSuccessHandler接口而不是LogoutHandler

<强> EDIT2

好的，所以如果您不想在注销完成后调用您的处理程序，请删除logout标记并在注销过滤器bean中设置所有内容

<bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
    <constructor-arg index="0" value="/logoutSuccess" />
    <constructor-arg index="1">
        <list>
            <bean id="securityContextLogoutHandler"
            class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
        <bean id="myLogoutHandler" class="my.package.MyLogoutHandler" />
        </list>
    </constructor-arg>
    <property name="filterProcessesUrl" value="/logout" />
</bean>

并添加<security:custom-filter ref="logoutFilter" position="LOGOUT_FILTER"/>

没有调用Spring安全自定义LogoutHandler

1 个答案: