Spring LogoutSuccessHandler未被调用

时间:2016-06-16 16:08:51

标签: spring spring-security spring-boot

我使用的是spring-boot(1.3.5)+ oauth2(spring-cloud-starter-oauth2)。我想测试一些LogoutSuccessHandler,但我无法调用它。

这是我的安全配置:

@Configuration
@EnableWebSecurity
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    private LogoutHandler logoutHandler;

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
                .anonymous().disable()
                .httpBasic().disable()
                .authorizeRequests()
                .antMatchers("/index.html", "/", "/resources/**", "/css/**").permitAll()
                .anyRequest().authenticated();

        http.logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessHandler(logoutHandler);
        //.invalidateHttpSession(true).deleteCookies("JSESSIONID", "SESSION");
    }
}

这是我的logoutHandler

@Component
public class LogoutHandler extends AbstractAuthenticationTargetUrlRequestHandler implements LogoutSuccessHandler {

    @Override
    public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
        setDefaultTargetUrl("/");
        super.handle(request, response, authentication);
    }
}

当我调试应用程序并将断点放到logoutHandler时,它从未被调用过。我在这个配置中遗漏了什么吗?

由于

1 个答案:

答案 0 :(得分:0)

稍微更新您的configure方法。您不必使用AntPathRequestMatcher来匹配退出网址。

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
            .anonymous().disable()
            .httpBasic().disable()
            .authorizeRequests()
            .antMatchers("/index.html", "/", "/resources/**", "/css/**").permitAll()
            .anyRequest().authenticated()
            .and()
            .logout()
            .logoutUrl("/logout")
            .logoutSuccessHandler(logoutHandler)
            //.deleteCookies("JSESSIONID", "JSESSIONID")
            //.invalidateHttpSession(true)
            .permitAll();
    }