原理
- 清除
Cookie - 清除當前用戶的
remember-me記錄 - 使當前
session失效 - 清空當前的
SecurityContext - 重定向到登錄界面
Spring Security的退出請求(默認爲/logout)由LogoutFilter過濾器攔截處理
實現
主頁中添加退出鏈接
配置MerryyouSecurityConfig
源碼分析
LogoutFilter#doFilter
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
// 1 匹配到/logout請求
if (requiresLogout(request, response)) {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
// 2 清空Cookie、remember-me、session和SecurityContext
this.handler.logout(request, response, auth);
// 3 重定向到註冊界面
logoutSuccessHandler.onLogoutSuccess(request, response, auth);
return;
}
chain.doFilter(request, response);
}
- CookieClearingLogoutHandler清空Cookie
- PersistentTokenBasedRememberMeServices清空remember-me
- SecurityContextLogoutHandler 使當前session無效,清空當前的SecurityContext
CookieClearingLogoutHandler#logout
Cookie置爲null
PersistentTokenBasedRememberMeServices#logout
清空persistent_logins表中記錄
SecurityContextLogoutHandler#logout
使當前session失效 清空當前的SecurityContext
AbstractAuthenticationTargetUrlRequestHandler#handle
獲取配置的跳轉地址 跳轉請求
