Spring Security:如何在注销时使用访问令牌查找刷新令牌

时间:2017-08-31 19:02:05

标签: spring-security spring-security-oauth2

在用户注销时,我也想撤销刷新令牌。问题是我在LogoutHandler找不到它。我只有访问令牌。此外,Authentication对象为空。

配置:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .....
        .and()
            .csrf().disable()
            .logout()
                .logoutUrl("/logout").permitAll()
                .addLogoutHandler(customLogoutHandler)
                .deleteCookies("rememberMe")
                .logoutSuccessUrl(loginPage)
        .....
        ;
}

1 个答案:

答案 0 :(得分:0)

您可以尝试全局搜索@Component(" customLogoutHandler"),@ Service(" customLogoutHandler")," customLogoutHandler"等等。在你的项目中。

我在配置文件中有与logout成功处理程序类似的设置,如下所示:

@Autowired
private LogoutSuccessHandler myLogoutSuccessHandler;

然后自定义处理程序,请注意您撤销刷新令牌将取决于您使用的TokenStore类型,JDBC,InMemory等:

@Component("myLogoutSuccessHandler")
public class MyLogoutSuccessHandler implements LogoutSuccessHandler {

    @Override
    public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
        //logic to revoke tokens
    }

}
相关问题
最新问题