Spring Security/logout request jumps to /login?logout solution by default

Enterprise 2023-05-08 05:42:34 views: null

When I used Spring Security to write a logout request today, I found that no matter what I did, I couldn’t match the / logout request I wrote. Instead, it would redirect to / login?logout . I searched and found that the default logout path of Spring Security is also / logout , which causes Spring Security not to process the / logout request defined by itself , but to take the default one.

solution

There are two approaches to this situation, as follows:

Reset the url for logout and login redirection

We can configure the httpSecurity object in the security configuration class like this :

@Bean
@SuppressWarnings("all")
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    
    
	return http
	 		.logout()
			.logoutSuccessUrl("需要重定向的url")
			.and()
			.build();
}

In fact, this method does not solve the problem of redirection after logout, but only controls the location of the redirected page after successful logout, and it will still be redirected.

Custom LogoutSuccessHandler

We can configure the HttpSecurity object in the security configuration class like this :

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    
    
	return http
			.logout()
			.permitAll()
			.logoutSuccessHandler((httpServletRequest, httpServletResponse, authentication) -> {
    
    
			   	// 成功退出登录后返回200状态码
			    // httpServletResponse.setStatus(HttpServletResponse.SC_OK);
			    // 成功退出登录后的需要执行的代码写在这
			})
			.and()
			.build();
}

After customizing the LogoutSuccessHandler , the successful logout will go to our custom handler instead of redirection.

About Spring Security's default logout

The above two methods are actually just to solve the problem of redirection after logout. If you don’t want to use Spring Security’s default logout processing at all, you can directly set it like this:

	@Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    
    
        return http
                // 关闭默认注销接口
                .logout().disable()
                .build();
    }

What does /logout provided by Spring Security do

We don't want to use the logout processing provided by Spring Security by default because it may not match our actual business, and we may need to execute a lot of other logic when executing logout. What Spring Security provides by default may not be covered, but it is provided by default. What exactly does the logout and login interface do?

Set the following in application.yml to enable the log function of Spring Security :

logging:
  level:
    org:
      springframework:
        security: DEBUG

Then, by going through the logout interface provided by default, you can see the console print as follows:

You can see that the default logout interface has done operations such as clearing the SecurityContext . In fact, if you directly check the source code comments of logout (Customizer<LogoutConfigurer<HttpSecurity>> logoutCustomizer) , you will find that the official details are given in the comments:

About Spring Security's default login page

After understanding the default operation of Spring Security for / logout requests, let's take a look at the default operation of / login .

Sometimes we find that when requesting / login , we will automatically jump to the login page provided by Spring Security . Why? In fact, this is caused by the two filters DefaultLoginPageGeneratingFilter and DefaultLogoutPageGeneratingFilter . If we do not configure the httpSecurity object, then we will use the httpSecurity object provided by Spring Security itself . At this time, we will configure more filters , including the filter UsernamePasswordAuthenticationFilter . If we do not cancel This filter , in fact, the default authentication login will not be checked in the database. And when we inject our own httpSecurity object, we will find that the default filters are gone, and the default login page will not appear.

View all filters currently applied

You can easily view all the filters currently applied in the following ways:

@SpringBootApplication
public class SpringSecurityTokenApplication {
    
    

    public static void main(String[] args) {
    
    
        ConfigurableApplicationContext run = SpringApplication.run(SpringSecurityTokenApplication.class, args);
        // 对这一行进行断点调试 查看run对象 
        // 再通过run.getBean(DefaultSecurityFilterChain.class)这段代码就可以看到所有的filter
        System.out.println();
    }
}

reference link

When understanding these things, I mainly refer to these two links:

  1. How to disable /logout redirection in Spring Security?
  2. How to disable Spring Security/logout redirection .

Guess you like

Origin blog.csdn.net/weixin_55658418/article/details/129311394
Recommended
Rushing to the GitHub hot list——How can open source programming languages and frameworks be so cute?
Beijing Humanoid Robot Innovation Center launches Tiangong, the world's first full-size humanoid robot with purely electric drive for anthropomorphic running
Ranking
8个无需编写代码即可使用 Python 内置库的方法
Java collections interview knowledge Lite
Machine learning algorithms foundation - Introduction a (watermelon materials for the book)
(Easy) Ransom Note - LeetCode
[Five days] Qt from entry to actual combat: the second day
Remember once extremely pit father can not download Maven Jar package of issues: IDEA question
The minimum cost Shortest
OSPF study map (the most complete version)
Network Takeaways
GnuPG
Daily
More
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)

Code World

© 2018 codetd.com