原理
- 清除
Cookie - 清除当前用户的
remember-me记录 - 使当前
session失效 - 清空当前的
SecurityContext - 重定向到登录界面
Spring Security的退出请求(默认为/logout)由LogoutFilter过滤器拦截处理
实现
主页中添加退出链接
配置MerryyouSecurityConfig
源码分析
LogoutFilter#doFilter
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
// 1 匹配到/logout请求
if (requiresLogout(request, response)) {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
// 2 清空Cookie、remember-me、session和SecurityContext
this.handler.logout(request, response, auth);
// 3 重定向到注册界面
logoutSuccessHandler.onLogoutSuccess(request, response, auth);
return;
}
chain.doFilter(request, response);
}
- CookieClearingLogoutHandler清空Cookie
- PersistentTokenBasedRememberMeServices清空remember-me
- SecurityContextLogoutHandler 使当前session无效,清空当前的SecurityContext
CookieClearingLogoutHandler#logout
Cookie置为null
PersistentTokenBasedRememberMeServices#logout
清空persistent_logins表中记录
SecurityContextLogoutHandler#logout
使当前session失效 清空当前的SecurityContext
AbstractAuthenticationTargetUrlRequestHandler#handle
获取配置的跳转地址 跳转请求
