spring security自定义注销处理程序

时间:2010-06-24 18:45:37

标签: java spring spring-security

如何在spring-security中将自己的注销处理程序添加到LogoutFilter? 谢谢!

4 个答案:

答案 0 :(得分:20)

以下解决方案对我有用,可能会有所帮助:

  1. 扩展SimpleUrlLogoutSuccessHandler或实施LogoutHandler

    public class LogoutSuccessHandler extends SimpleUrlLogoutSuccessHandler {
    
       // Just for setting the default target URL
       public LogoutSuccessHandler(String defaultTargetURL) {
            this.setDefaultTargetUrl(defaultTargetURL);
       }
    
       @Override
       public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
    
            // do whatever you want
            super.onLogoutSuccess(request, response, authentication);
       }
    }
    
  2. 添加到Spring安全配置:

    <security:logout logout-url="/logout" success-handler-ref="logoutSuccessHandler" />
    <bean id="logoutSuccessHandler" class="your.package.name.LogoutSuccessHandler" >
        <constructor-arg value="/putInYourDefaultTargetURLhere" />
    </bean>
    

答案 1 :(得分:4)

请参阅Spring Security论坛中this post的答案:

XML定义:

<beans:bean id="logoutFilter" class="org.springframework.security.ui.logout.LogoutFilter">
    <custom-filter position="LOGOUT_FILTER"/>
    <beans:constructor-arg index="0" value="/logout.jsp"/>
    <beans:constructor-arg index="1">
        <beans:list>
            <beans:ref bean="securityContextLogoutHandler"/>
            <beans:ref bean="myLogoutHandler"/>
        </beans:list>
    </beans:constructor-arg>
</beans:bean>

<beans:bean id="securityContextLogoutHandler" class="org.springframework.security.ui.logout.SecurityContextLogoutHandler"/>

<beans:bean id="myLogoutHandler" class="com.whatever.CustomLogoutHandler">
    <beans:property name="userCache" ref="userCache"/>
</beans:bean>

LogoutHandler类:

public class CustomLogoutHandler implements LogoutHandler {
    private UserCache userCache;

    public void logout(final HttpServletRequest request, final HttpServletResponse response, final Authentication authentication) {
        // ....
    }

    @Required
    public void setUserCache(final UserCache userCache) {
        this.userCache = userCache;
    }
}

答案 2 :(得分:0)

您可以使用像这样的java-config解决方案。


@Configuration
@EnableWebSecurity

public class SpringSecurity2Config extends WebSecurityConfigurerAdapter {


    @Override
    protected void configure(HttpSecurity http) throws Exception {
       //you can set other security config by call http.XXX()

        http
                .logout()
                .addLogoutHandler(new CustomLogoutHandler())
                .logoutUrl("/logout")
                .logoutSuccessHandler(...)
                .permitAll();

    }

    static class CustomLogoutHandler implements LogoutHandler {
        @Override
        public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
            //...

        }

    }

}

答案 3 :(得分:-1)

您应该使用success-handler-ref元素的<logout>属性:

<security:logout invalidate-session="true"
          success-handler-ref="myLogoutHandler"
          logout-url="/logout" />

作为替代解决方案,您可以在注销URL上配置自己的过滤器。