Question

我试过......

 <sec:logout invalidate-session="true" logout-success-url="/logoutsuccess" logouturl="/logout/>

但它无法正常工作.... 我希望清除用户退出时刷新令牌和访问令牌会话，cookie等所有内容....

我的security-servlet.xml看起来像这样

<!-- Protected resources -->
<sec:http create-session="never" entry-point-ref="oauthAuthenticationEntryPoint"
    access-decision-manager-ref="accessDecisionManager"
    xmlns="http://www.springframework.org/schema/security">
    <sec:anonymous enabled="false" />
    <sec:intercept-url pattern="/data/user/*"
        access="IS_AUTHENTICATED_FULLY" />
    <sec:logout delete-cookies="JSESSIONID" invalidate-session="true" />
    <sec:custom-filter ref="resourceServerFilter"
        before="PRE_AUTH_FILTER" />
    <sec:access-denied-handler ref="oauthAccessDeniedHandler" />
</sec:http>

Answer 1

在Spring-boot应用程序中，我将： 1.获取OAuth2AccessToken 2.使用它将删除OAuth2RefreshToken 3.然后删除自己

@Component
public class CustomLogoutSuccessHandler 
        extends AbstractAuthenticationTargetUrlRequestHandler
        implements LogoutSuccessHandler {


    private static final String BEARER_AUTHENTICATION = "Bearer ";
    private static final String HEADER_AUTHORIZATION = "authorization";

    @Autowired
    private TokenStore tokenStore;

    @Override
    public void onLogoutSuccess(HttpServletRequest httpServletRequest,
                                HttpServletResponse httpServletResponse,
                                Authentication authentication) throws IOException, ServletException {

        String token = httpServletRequest.getHeader(HEADER_AUTHORIZATION);

        if (token != null && token.startsWith(BEARER_AUTHENTICATION)) {
            String accessTokenValue = token.split(" ")[1];

            OAuth2AccessToken oAuth2AccessToken = tokenStore.readAccessToken(accessTokenValue);
            if (oAuth2AccessToken != null) {
                OAuth2RefreshToken oAuth2RefreshToken = oAuth2AccessToken.getRefreshToken();
                if (oAuth2RefreshToken != null)
                    tokenStore.removeRefreshToken(oAuth2RefreshToken);

                tokenStore.removeAccessToken(oAuth2AccessToken);
            }
        }

        httpServletResponse.setStatus(HttpServletResponse.SC_OK);
    }

}

Answer 2

你可以把这些东西做成sessionDestroyedListener ......几乎看起来像这样.. 在这段代码中，我正在更新lastLogout日期..你可以做你想做的事情

＆＃13;

@Component("sessionDestroyedEventListener")
public class SessionDestroyedEventListener implements ApplicationListener<SessionDestroyedEvent>{


//	private static Logger logger = BaseLogger.getLogger(AuthenticationEventListener.class);
	@Autowired
	private AuthenticationService authenticationService;
	
	public void setAuthenticationService(AuthenticationService authenticationService) {
		this.authenticationService = authenticationService;
	}
	/**
	 * Capture sessionDestroyed event and update lastLogout date after session destroyed of particular user.
	 */
	@Override
	public void onApplicationEvent(SessionDestroyedEvent appEvent) {
		SessionDestroyedEvent event = (SessionDestroyedEvent) appEvent;
		Object obj = null;
		UserInfo userInfo = null;
		ArrayList<SecurityContext> sc = (ArrayList<SecurityContext>) event.getSecurityContexts();
		Iterator<SecurityContext> itr = sc.iterator();

		while (itr.hasNext()) {
			obj = itr.next().getAuthentication().getPrincipal();

			if (obj instanceof UserInfo) {
				userInfo = (UserInfo) obj;
			} else {
				String userCode = (String) obj;
				if (userCode == null || "".equals(userCode)) {
					userCode = "UnDefinedUser";
				}
				userInfo = new UserInfo(userCode);

			}

 			 //authenticationService.updateLastLogoutDate(userInfo.getUsername());
		}

	}
}

＆＃13;

如何在用户注销oauth 2.0时删除refreshtoken和访问令牌？

2 个答案: