原理
- 清除
Cookie
- 清除當前用戶的
remember-me
記錄 - 使當前
session
失效 - 清空當前的
SecurityContext
- 重定向到登錄界面
Spring Security
的退出請求(默認爲/logout
)由LogoutFilter過濾器攔截處理
實現
主頁中添加退出鏈接
配置MerryyouSecurityConfig
源碼分析
LogoutFilter#doFilter
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) res; // 1 匹配到/logout請求 if (requiresLogout(request, response)) { Authentication auth = SecurityContextHolder.getContext().getAuthentication(); // 2 清空Cookie、remember-me、session和SecurityContext this.handler.logout(request, response, auth); // 3 重定向到註冊界面 logoutSuccessHandler.onLogoutSuccess(request, response, auth); return; } chain.doFilter(request, response); }
- CookieClearingLogoutHandler清空Cookie
- PersistentTokenBasedRememberMeServices清空remember-me
- SecurityContextLogoutHandler 使當前session無效,清空當前的SecurityContext
CookieClearingLogoutHandler#logout
Cookie置爲null
PersistentTokenBasedRememberMeServices#logout
清空persistent_logins表中記錄
SecurityContextLogoutHandler#logout
使當前session失效 清空當前的SecurityContext
AbstractAuthenticationTargetUrlRequestHandler#handle
獲取配置的跳轉地址 跳轉請求