Question

首先，这不是一个重复的问题，我检查了答案here！和 here！但是无法让它发挥作用。

此外，我想在注销之前执行它，因此无法使用logoutSuccessHandler。

所以我需要创建一个自定义的LOGOUT_FILTER，我真的很难让它工作。

这是我的spring-security xml，其中我尝试了两种方法首先是： -

 <custom-filter ref="logoutFilter" position="LOGOUT_FILTER" />

<beans:bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<beans:constructor-arg index="0" value="/logoutSuccess" />
<beans:constructor-arg index="1">
    <beans:list>
        <beans:bean id="securityContextLogoutHandler"
        class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
    <beans:bean id="myLogoutHandler" class="com.fe.cms.listener.SimpleLogoutHandler" />
    </beans:list>
</beans:constructor-arg>
<beans:property name="filterProcessesUrl" value="/logout" />
</beans:bean>

但是这给了我错误

Configuration problem: Security namespace does not support decoration of element [custom-filter]

然后我试了..

<beans:bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
    <beans:constructor-arg index="0" value="/logout" />
    <beans:constructor-arg index="1">
        <beans:ref bean="securityContextLogoutHandler" />
        <beans:ref bean="myLogoutHandler" />
    </beans:constructor-arg>
    <beans:property name="filterProcessesUrl" value="/logout" />
</beans:bean>

<beans:bean id="securityContextLogoutHandler"
    class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />

<beans:bean id="myLogoutHandler" class="com.fe.cms.listener.SimpleLogoutHandler" />

<http auto-config="false" entry-point-ref="authenticationManger">
    <custom-filter ref="logoutFilter" position="LOGOUT_FILTER" />
</http>

但这给了我错误： -

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.filterChains': Cannot resolve reference to bean 'org.springframework.security.web.DefaultSecurityFilterChain#48' while setting bean property 'sourceList' with key [48]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.web.DefaultSecurityFilterChain#48': Cannot create inner bean '(inner bean)' of type [org.springframework.security.web.access.ExceptionTranslationFilter] while setting constructor argument with key [6]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#181': Could not resolve matching constructor (hint: specify index/type/name arguments for simple parameters to avoid type ambiguities)

任何人都可以告诉我在哪里做错了.. 如果需要，我将发布完整的xml文件

Answer 1

如果您需要在注销前执行某些操作，我认为Spring 拦截器可以帮助您。

你可以实现这样的类：

public class JustBeforeLogoutInterceptor extends HandlerInterceptorAdapter {

    @Override
    public boolean preHandle(HttpServletRequest request,
            HttpServletResponse response, Object handler) throws Exception {
        boolean res = super.preHandle(request, response, handler);
        //
        // your code...
        //
        return res;
    }
}

然后你需要配置拦截器：

<mvc:interceptors>
    <mvc:interceptor>
        <mvc:mapping path="/logout" />
        <bean class="your.app.JustBeforeLogoutInterceptor" />
    </mvc:interceptor>
</mvc:interceptors>

这应该有效。试一试。

Answer 2

根据您的说明，您想要的是访问会话并执行一些逻辑。不要使用自定义LogoutFilter进行攻击，只需编写一个监听HttpSessionDestroyedEvent的ApplicationListener即可。

@Component
public class SessionListener implements ApplicationListener<HttpSessionDestroyedEvent> {

    public void onApplicationEvent(HttpSessionDestroyedEvent evt) {
        HttpSession session = evt.getSession();
        // Your logic here
    }
}

为了能够重新接收事件，请确保在web.xml中注册HttpSessionEventPublisher。

<listener>
    <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>

此解决方案的主要优点是您还可以处理超时的会话，而不仅仅是定期注销。

Answer 3

您可以尝试扩展当前的LogoutFilter并在调用超级类之前执行自定义逻辑。 doFilter方法。

喜欢这个

public class CustomLogoutFilter extends LogoutFilter {

    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
            throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;

        if (requiresLogout(request, response)) {
           // IMPLEMENT YOUR CUSTOM LOGIC HERE

            super.doFilter(req, res, chain);

            return;
        }

        chain.doFilter(request, response);
    }

}

然后你必须用你的CustomLogoutFilter

替换默认的LogoutFilter

<http>
    <custom-filter position="LOGOUT_FILTER" ref="customLogoutFilter" />
</http>

<bean id="customLogutFilter" class="example.CustomLogoutFilter">
    <property name="filterProcessesUrl" value="/logout" />
    <!-- Put other needed properties here-->
</bean>

如何在春季退出前进行操作？

3 个答案: