退出登录
Spring Security默认的退出登录URL为/logout
,退出登录后,Spring Security会做如下处理:
- 是当前的Sesion失效;
- 清除与当前用户关联的RememberMe记录;
- 清空当前的SecurityContext;
- 重定向到登录页。
Spring Security允许我们通过配置来更改上面这些默认行为。
我们在Spring Security配置中添加如下配置:
......
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/logout/success")
.deleteCookies("JSESSIONID")
.and()
......
放开拦截:
.antMatchers("/authentication/require",
"/login.html",
"/code/image",
"/code/sms",
"/session/invalid",
"/logout/success").permitAll() // 无需认证的请求路径
.anyRequest() // 所有请求
.authenticated() // 都需要认证
@GetMapping("/logout/success")
public String signout() {
return "退出成功,请重新登录";
}
除了指定logoutUrl
外,我们也可以通过logoutSuccessHandler
指定退出成功处理器来处理退出成功后的逻辑:
MyLogOutSuccessHandler
实现LogoutSuccessHandler
:
@Component
public class MyLogOutSuccessHandler implements LogoutSuccessHandler {
@Override
public void onLogoutSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException, ServletException {
httpServletResponse.setStatus(HttpStatus.UNAUTHORIZED.value());
httpServletResponse.setContentType("application/json;charset=utf-8");
httpServletResponse.getWriter().write("退出成功,请重新登录");
}
}
@Autowired
private MyLogOutSuccessHandler logOutSuccessHandler;
......
.and()
.logout()
.logoutUrl("/signout")
// .logoutSuccessUrl("/signout/success")
.logoutSuccessHandler(logOutSuccessHandler)
.deleteCookies("JSESSIONID")
.and()
......