Spring Security支持在繼承WebSecurityConfigurerAdapter的配置類中配置注銷登錄:
HttpSecurity內的logout()方法以一個LogoutConfigurer作為配置基礎,創建一個用於注銷登錄的過濾器:
HttpSecurity:
public LogoutConfigurer<HttpSecurity> logout() throws Exception {
return (LogoutConfigurer)this.getOrApply(new LogoutConfigurer());
}
public HttpSecurity logout(Customizer<LogoutConfigurer<HttpSecurity>> logoutCustomizer) throws Exception {
logoutCustomizer.customize(this.getOrApply(new LogoutConfigurer()));
return this;
}
LogoutConfigurer:
public void configure(H http) throws Exception {
LogoutFilter logoutFilter = this.createLogoutFilter(http);
http.addFilter(logoutFilter);
}
private LogoutFilter createLogoutFilter(H http) {
this.logoutHandlers.add(this.contextLogoutHandler);
this.logoutHandlers.add(this.postProcess(new LogoutSuccessEventPublishingLogoutHandler()));
LogoutHandler[] handlers = (LogoutHandler[])this.logoutHandlers.toArray(new LogoutHandler[0]);
LogoutFilter result = new LogoutFilter(this.getLogoutSuccessHandler(), handlers);
result.setLogoutRequestMatcher(this.getLogoutRequestMatcher(http));
result = (LogoutFilter)this.postProcess(result);
return result;
}
它默認注冊了一個/logout路由,用戶通過訪問該路由可以安全地注銷其登錄狀態,包括使HttpSession失效、清空已配置的Remember-me驗證,以及清空SecurityContextHolder,並在注銷成功之后重定向到/login?logout頁面。
如有必要,還可以重新配置:
