OAuth安全环境中注销用户的访问令牌
定义一个@FrameworkEndpoint,以便它被FrameworkEndpointHandlerMapping取代而不是标准的RequestMappingHandlerMapping被拾取和解析.
@FrameworkEndpoint
public class RevokeTokenEndpoint {@Autowired @Qualifier("consumerTokenServices") ConsumerTokenServices consumerTokenServices; @RequestMapping(method = RequestMethod.DELETE, value = "/oauth/token") @ResponseBody public Msg<String> revokeToken(String access_token) { if (consumerTokenServices.revokeToken(access_token)){ return new Msg(MessageType.MSG_TYPE_SUCCESS,null,"注销成功"); }else{ return new Msg(MessageType.MSG_TYPE_FAILURE,null,"注销失败"); } }
}
上述方法从参数中获取access_token,网上还有一种方法是从request Header中获取access_token:
public void revokeToken(HttpServletRequest request) { String authorization = request.getHeader("Authorization"); if (authorization != null && authorization.contains("Bearer")){ String tokenId = authorization.substring("Bearer".length()+1); tokenServices.revokeToken(tokenId); } }
从服务器端删除cookie(针对前端页面的cookie操作)
@Component public class CustomPostZuulFilter extends ZuulFilter{ @Override public Object run() { final RequestContext ctx = RequestContext.getCurrentContext(); String requestURI = ctx.getRequest().getRequestURI(); String requestMethod = ctx.getRequest().getMethod(); if (requestURI.contains("oauth/token") && requestMethod.equals("DELETE")) { Cookie cookie = new Cookie("refreshToken", ""); cookie.setMaxAge(0); cookie.setPath(ctx.getRequest().getContextPath() + "/oauth/token"); ctx.getResponse().addCookie(cookie); } return null; } @Override public boolean shouldFilter() { return true; } @Override public int filterOrder() { return 10; } @Override public String filterType() { return "post"; } }
从AngularJS客户端删除访问令牌,除了从令牌存储中撤销访问令牌之外,还需要从客户端删除access_token cookie。
$scope.logout = function() { logout($scope.loginData); } function logout(params) { var req = { method: 'DELETE', url: "oauth/token" } $http(req).then( function(data){ $cookies.remove("access_token"); window.location.href="login"; },function(){ console.log("error"); } ); } //单击“ 注销”链接时将调用此功能: <a class="btn btn-info" href="#" ng-click="logout()">Logout</a>