我有最简单的oauth2客户端:
@EnableAutoConfiguration
@Configuration
@EnableOAuth2Sso
@RestController
public class ClientApplication {
@RequestMapping("/")
public String home(Principal user, HttpServletRequest request, HttpServletResponse response) throws ServletException {
return "Hello " + user.getName();
}
public static void main(String[] args) {
new SpringApplicationBuilder(ClientApplication.class)
.properties("spring.config.name=application").run(args);
}
}
我还有以下application.yml:
server:
port: 9999
servlet:
context-path: /client
security:
oauth2:
client:
client-id: acme
client-secret: acmesecret
access-token-uri: http://localhost:8080/oauth/token
user-authorization-uri: http://localhost:8080/oauth/authorize
resource:
user-info-uri: http://localhost:8080/me
logging:
level:
org.springframework.security: DEBUG
org.springframework.web: DEBUG
这是完整的代码。我没有任何其他源代码。它运作正常。
但现在我想添加一个注销功能。我添加了一个端点,但它不起作用。我试着做以下事情:
@RequestMapping("/logout")
public void logout(HttpServletRequest request, HttpServletResponse response) throws ServletException {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
authentication.setAuthenticated(false);
new SecurityContextLogoutHandler().logout(request,response,authentication);
SecurityContextHolder.clearContext();
request.logout();
request.getSession().invalidate();
}
但我仍然登录并可以访问/网址,并使用用户名回复我。
你能帮我解决这个问题吗?
我尝试了这里描述的方法https://spring.io/guides/tutorials/spring-boot-oauth2/#_social_login_logout:
@EnableAutoConfiguration
@Configuration
@EnableOAuth2Sso
@Controller
public class ClientApplication extends WebSecurityConfigurerAdapter {
private Logger logger = LoggerFactory.getLogger(ClientApplication.class);
@RequestMapping("/hello")
public String home(Principal user, HttpServletRequest request, HttpServletResponse response, Model model) throws ServletException {
model.addAttribute("name", user.getName());
return "hello";
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http.antMatcher("/**")
.authorizeRequests()
.antMatchers( "/login**", "/webjars/**", "/error**").permitAll()
.anyRequest()
.authenticated()
.and().logout().logoutSuccessUrl("/").permitAll()
.and()
.csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
// @formatter:on
}
public static void main(String[] args) {
new SpringApplicationBuilder(ClientApplication.class)
.properties("spring.config.name=application").run(args);
}
}
在FE上写道:
<script type="text/javascript">
$.ajaxSetup({
beforeSend: function (xhr, settings) {
if (settings.type == 'POST' || settings.type == 'PUT'
|| settings.type == 'DELETE') {
if (!(/^http:.*/.test(settings.url) || /^https:.*/
.test(settings.url))) {
// Only send the token to relative URLs i.e. locally.
xhr.setRequestHeader("X-XSRF-TOKEN",
Cookies.get('XSRF-TOKEN'));
}
}
}
});
var logout = function () {
$.post("/client/logout", function () {
$("#user").html('');
$(".unauthenticated").show();
$(".authenticated").hide();
});
return true;
};
$(function() {
$("#logoutButton").on("click", function () {
logout();
});
});
</script>
和
<input type="button" id="logoutButton" value="Logout"/>
但它仍然无法奏效。它会导致以下行为:
发布http://localhost:9999/client/logout重定向到http://localhost:9999/client,但此页面不存在
源代码:
客户 - https://github.com/gredwhite/logour_social-auth-client(使用localhost:9999/client/hello网址)
服务器 - https://github.com/gredwhite/logout_social-auth-server
答案 0 :(得分:3)
您可以从数据库中删除刷新令牌和访问令牌,以节省空间。
@PostMapping("/oauth/logout")
public ResponseEntity<String> revoke(HttpServletRequest request) {
try {
String authorization = request.getHeader("Authorization");
if (authorization != null && authorization.contains("Bearer")) {
String tokenValue = authorization.replace("Bearer", "").trim();
OAuth2AccessToken accessToken = tokenStore.readAccessToken(tokenValue);
tokenStore.removeAccessToken(accessToken);
//OAuth2RefreshToken refreshToken = tokenStore.readRefreshToken(tokenValue);
OAuth2RefreshToken refreshToken = accessToken.getRefreshToken();
tokenStore.removeRefreshToken(refreshToken);
}
} catch (Exception e) {
return ResponseEntity.badRequest().body("Invalid access token");
}
return ResponseEntity.ok().body("Access token invalidated successfully");
}
要注销的URL为: http://localhost:9999/oauth/logout 另外,将访问令牌传递为Authorization标头中的
授权:承载0cb72897-c4f7-4f01-aed9-2f3f79a75484
其中,访问令牌为0cb72897-c4f7-4f01-aed9-2f3f79a75484。
由于具有Spring的安全性,所以请不要忘记跳过/ oauth / logout url来授权访问,就像
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/hello", "/oauth/logout");
}
希望,它将解决Springboot2 + Oauth2中的注销问题。它对我有用。
答案 1 :(得分:1)
您可能希望对/ logout端点使用Spring Security内置支持,这将做正确的事情(清除会话并使cookie无效)。要配置端点,请扩展WebSecurityConfigurer中的现有configure()方法:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/**")
.and().logout().logoutSuccessUrl("/").permitAll();
}
答案 2 :(得分:1)
将以下代码段添加到ClientApplication类。这也将清除您的会话详细信息。
使用您的Web安全适配器类的configure方法替换以下代码。
@Override
protected void configure(HttpSecurity http) throws Exception {
http.antMatcher("/**")
.authorizeRequests()
.antMatchers( "/login**", "/webjars/**", "/error**").permitAll()
.anyRequest()
.authenticated()
.and().logout().invalidateHttpSession(true)
.clearAuthentication(true).logoutSuccessUrl("/login?logout").deleteCookies("JSESSIONID").permitAll().and().csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
}
答案 3 :(得分:0)
尝试将logout url添加到您的安全配置中。
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/")
.permitAll();
答案 4 :(得分:0)
您可以将发布更改为 获取http://localhost:9999/client/logout
对我有用