无法使用JdbcTokenStore在Spring OAuth2中注销
使用了SpringOAuth2withJDBCTokenStore-自定义登录页面,如下面的代码段所示无法使用JdbcTokenStore在Spring OAuth2中注销,spring,spring-boot,spring-oauth2,Spring,Spring Boot,Spring Oauth2,使用了SpringOAuth2withJDBCTokenStore-自定义登录页面,如下面的代码段所示 @Configuration @Order(-20) protected static class LoginConfig extends WebSecurityConfigurerAdapter { @Autowired private AuthenticationManager authenticationManager; @Override protec
@Configuration
@Order(-20)
protected static class LoginConfig extends WebSecurityConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.NEVER)
.invalidSessionUrl("/login")
.sessionAuthenticationErrorUrl("/login")
.and()
.formLogin().loginPage("/login").permitAll().defaultSuccessUrl("/homepage", false)
.failureUrl("/login?error=true")
.and()
.requestMatchers()
.antMatchers("/", "/login", "/logout", "/homepage", "/login?error=true", "/oauth/authorize", "/oauth/confirm_access")
.and()
.logout().logoutUrl("/logout").logoutSuccessUrl("/login").invalidateHttpSession(true)
.permitAll()
.and().authorizeRequests()
.antMatchers("/login**")
.permitAll().anyRequest().authenticated();
// @formatter:on
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.parentAuthenticationManager(authenticationManager);
}
}
来自不同的在线资源,例如Spring Security似乎有一个内置的端点/注销来注销用户,但这似乎对我不起作用。当我点击该端点时,它会重定向回自定义登录页面,这很好,但不一致。使用多个选项卡时,它有时有效,但不是每次都有效。还注意到Spring创建的cookie也没有清除
下面定义的Web安全配置适配器是否有问题
@Configuration
@Order(-20)
protected static class LoginConfig extends WebSecurityConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.formLogin()
.loginPage("/login")
.permitAll()
.defaultSuccessUrl("/homepage", false)
.failureUrl("/login?error=true")
.and()
.requestMatchers().antMatchers("/login", "/homepage", "/login?error=true", "/oauth/authorize", "/oauth/confirm_access")
.and()
.authorizeRequests().anyRequest().authenticated();
// @formatter:on
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.parentAuthenticationManager(authenticationManager);
}
}
一旦内置注销功能开始工作,最好也删除数据库中创建的令牌。尝试了一些可能的答案,但不起作用。如果有任何建议,我们将不胜感激
我可以发布更多的代码片段,如果这有助于提供更清晰的信息。最终我们实现了这一点——希望这对其他同舟共济的人有所帮助 如果在下面的代码段中不需要会话管理配置,则可以忽略该配置
@Configuration
@Order(-20)
protected static class LoginConfig extends WebSecurityConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.NEVER)
.invalidSessionUrl("/login")
.sessionAuthenticationErrorUrl("/login")
.and()
.formLogin().loginPage("/login").permitAll().defaultSuccessUrl("/homepage", false)
.failureUrl("/login?error=true")
.and()
.requestMatchers()
.antMatchers("/", "/login", "/logout", "/homepage", "/login?error=true", "/oauth/authorize", "/oauth/confirm_access")
.and()
.logout().logoutUrl("/logout").logoutSuccessUrl("/login").invalidateHttpSession(true)
.permitAll()
.and().authorizeRequests()
.antMatchers("/login**")
.permitAll().anyRequest().authenticated();
// @formatter:on
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.parentAuthenticationManager(authenticationManager);
}
}
创建一个注销控制器以及上面的步骤就可以了
@Controller
public class LogoutController {
@RequestMapping(value = "/logout", method = RequestMethod.GET)
public String logout(HttpServletRequest request, HttpServletResponse response, Model model) {
/* Getting session and then invalidating it */
HttpSession session = request.getSession();
if (session != null) {
session.invalidate();
}
HandleLogOutResponse(response, request);
return "logout";
}
private void HandleLogOutResponse(HttpServletResponse response, HttpServletRequest request) {
Cookie[] cookies = request.getCookies();
for (Cookie cookie : cookies) {
cookie.setMaxAge(0);
cookie.setValue(null);
cookie.setPath("/");
response.addCookie(cookie);
}
}
您可以使用下面的简单函数注册视图
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/").setViewName("login");
registry.addViewController("/login").setViewName("login");
registry.addViewController("/homepage").setViewName("homepage");
registry.addViewController("/logout").setViewName("logout");
}
最后我们实现了这一点——希望这对其他同舟共济的人有所帮助 如果在下面的代码段中不需要会话管理配置,则可以忽略该配置
@Configuration
@Order(-20)
protected static class LoginConfig extends WebSecurityConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.NEVER)
.invalidSessionUrl("/login")
.sessionAuthenticationErrorUrl("/login")
.and()
.formLogin().loginPage("/login").permitAll().defaultSuccessUrl("/homepage", false)
.failureUrl("/login?error=true")
.and()
.requestMatchers()
.antMatchers("/", "/login", "/logout", "/homepage", "/login?error=true", "/oauth/authorize", "/oauth/confirm_access")
.and()
.logout().logoutUrl("/logout").logoutSuccessUrl("/login").invalidateHttpSession(true)
.permitAll()
.and().authorizeRequests()
.antMatchers("/login**")
.permitAll().anyRequest().authenticated();
// @formatter:on
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.parentAuthenticationManager(authenticationManager);
}
}
创建一个注销控制器以及上面的步骤就可以了
@Controller
public class LogoutController {
@RequestMapping(value = "/logout", method = RequestMethod.GET)
public String logout(HttpServletRequest request, HttpServletResponse response, Model model) {
/* Getting session and then invalidating it */
HttpSession session = request.getSession();
if (session != null) {
session.invalidate();
}
HandleLogOutResponse(response, request);
return "logout";
}
private void HandleLogOutResponse(HttpServletResponse response, HttpServletRequest request) {
Cookie[] cookies = request.getCookies();
for (Cookie cookie : cookies) {
cookie.setMaxAge(0);
cookie.setValue(null);
cookie.setPath("/");
response.addCookie(cookie);
}
}
您可以使用下面的简单函数注册视图
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/").setViewName("login");
registry.addViewController("/login").setViewName("login");
registry.addViewController("/homepage").setViewName("homepage");
registry.addViewController("/logout").setViewName("logout");
}