Spring security 当用户注销oauth 2.0时,如何删除刷新令牌和访问令牌?
我试过Spring security 当用户注销oauth 2.0时,如何删除刷新令牌和访问令牌?,spring-security,oauth-2.0,Spring Security,Oauth 2.0,我试过 <sec:logout invalidate-session="true" logout-success-url="/logoutsuccess" logouturl="/logout/> 您可以在sessionDestroyedListener中执行这些操作…大致如下。。 在这段代码中,我正在更新lastLogout日期。你可以做你想做的事 @组件(“sessionDestroyedEventListener”) 公共类SessionDestroyedEventLis
<sec:logout invalidate-session="true" logout-success-url="/logoutsuccess" logouturl="/logout/>
您可以在sessionDestroyedListener中执行这些操作…大致如下。。
在这段代码中,我正在更新lastLogout日期。你可以做你想做的事
@组件(“sessionDestroyedEventListener”)
公共类SessionDestroyedEventListener实现ApplicationListener{
//私有静态记录器=BaseLogger.getLogger(AuthenticationEventListener.class);
@自动连线
私人认证服务认证服务;
public void setAuthenticationService(AuthenticationService AuthenticationService){
this.authenticationService=authenticationService;
}
/**
*捕获sessionDestroyed事件并在特定用户的会话销毁后更新lastLogout日期。
*/
@凌驾
Application Event(SessionDestroyedEvent appEvent)上的公共无效{
SessionDestroyedEvent事件=(SessionDestroyedEvent)appEvent;
objectobj=null;
UserInfo UserInfo=null;
ArrayList sc=(ArrayList)event.getSecurityContext();
迭代器itr=sc.Iterator();
while(itr.hasNext()){
obj=itr.next().getAuthentication().getPrincipal();
if(用户信息的obj实例){
userInfo=(userInfo)obj;
}否则{
字符串userCode=(字符串)obj;
if(userCode==null | |“”.equals(userCode)){
userCode=“UnDefinedUser”;
}
userInfo=新的userInfo(userCode);
}
//authenticationService.updateLastLogoutDate(userInfo.getUsername());
}
}
}
在Spring boot应用程序中,我将:
1.获取OAuth2AccessToken
2.使用它将删除OAuth2RefreshToken
3.然后删除它自己
@Component
public class CustomLogoutSuccessHandler
extends AbstractAuthenticationTargetUrlRequestHandler
implements LogoutSuccessHandler {
private static final String BEARER_AUTHENTICATION = "Bearer ";
private static final String HEADER_AUTHORIZATION = "authorization";
@Autowired
private TokenStore tokenStore;
@Override
public void onLogoutSuccess(HttpServletRequest httpServletRequest,
HttpServletResponse httpServletResponse,
Authentication authentication) throws IOException, ServletException {
String token = httpServletRequest.getHeader(HEADER_AUTHORIZATION);
if (token != null && token.startsWith(BEARER_AUTHENTICATION)) {
String accessTokenValue = token.split(" ")[1];
OAuth2AccessToken oAuth2AccessToken = tokenStore.readAccessToken(accessTokenValue);
if (oAuth2AccessToken != null) {
OAuth2RefreshToken oAuth2RefreshToken = oAuth2AccessToken.getRefreshToken();
if (oAuth2RefreshToken != null)
tokenStore.removeRefreshToken(oAuth2RefreshToken);
tokenStore.removeAccessToken(oAuth2AccessToken);
}
}
httpServletResponse.setStatus(HttpServletResponse.SC_OK);
}
}
有没有办法用配置来解决这个问题?…我有使用这个配置的方法,…但是根据我的说法,确保你可以这样做。
@Component
public class CustomLogoutSuccessHandler
extends AbstractAuthenticationTargetUrlRequestHandler
implements LogoutSuccessHandler {
private static final String BEARER_AUTHENTICATION = "Bearer ";
private static final String HEADER_AUTHORIZATION = "authorization";
@Autowired
private TokenStore tokenStore;
@Override
public void onLogoutSuccess(HttpServletRequest httpServletRequest,
HttpServletResponse httpServletResponse,
Authentication authentication) throws IOException, ServletException {
String token = httpServletRequest.getHeader(HEADER_AUTHORIZATION);
if (token != null && token.startsWith(BEARER_AUTHENTICATION)) {
String accessTokenValue = token.split(" ")[1];
OAuth2AccessToken oAuth2AccessToken = tokenStore.readAccessToken(accessTokenValue);
if (oAuth2AccessToken != null) {
OAuth2RefreshToken oAuth2RefreshToken = oAuth2AccessToken.getRefreshToken();
if (oAuth2RefreshToken != null)
tokenStore.removeRefreshToken(oAuth2RefreshToken);
tokenStore.removeAccessToken(oAuth2AccessToken);
}
}
httpServletResponse.setStatus(HttpServletResponse.SC_OK);
}
}