我们使用Spring Security 4.0.x,我需要找到访问已注销用户名的方法。
我已配置@Autowired
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(customAuthenticationProvider());
auth.authenticationProvider(daoAuthenticationProvider());
}
:
LogoutSuccessHandler我在方法签名中看到<logout logout-url="/logout" success-handler-ref="logoutSuccessHandler" />
对象:
authentication不幸的是,onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication)
对象是空的。
我看到authentication(LogoutHandler)在SecurityContextLogoutHandler之前清除了身份验证,但我找不到如何通过logoutSuccessHandler配置配置LogoutHandler的方式。
如何在Spring Security中访问已注销的用户名?
答案 0 :(得分:1)
if (requiresLogout(request, response)) {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (logger.isDebugEnabled()) {
logger.debug("Logging out user '" + auth
+ "' and transferring to logout destination");
}
this.handler.logout(request, response, auth);
logoutSuccessHandler.onLogoutSuccess(request, response, auth);
return;
}
正如您所看到的,过滤器已获得Authentication,因此即使SecurityContextLogoutHandler清除Authentication中的SecurityContextHolder,auth仍然保留Authentication,您是否有其他代码在Authentication之前清除LogoutFilter?