2021-05-29 15:31  阅读(121)
文章分类:Spring Security 源码分析 文章标签:Spring SecuritySpring Security 源码
©  原文作者: 郑龙飞 原文地址:https://juejin.cn/user/4212984285237870

Spring Security是一个能够为基于Spring的企业应用系统提供声明式的安全访问控制解决方案的安全框架。它提供了一组可以在Spring应用上下文中配置的Bean,充分利用了Spring IoC,DI(控制反转Inversion of Control ,DI:Dependency Injection 依赖注入)和AOP(面向切面编程)功能,为应用系统提供声明式的安全访问控制功能,减少了为企业系统安全控制编写大量重复代码的工作。

退出原理

  1. 清除Cookie
  2. 清除当前用户的remember-me记录
  3. 使当前session失效
  4. 清空当前的SecurityContext
  5. 重定向到登录界面

Spring Security的退出请求(默认为/logout)由LogoutFilter过滤器拦截处理。

退出的实现

  1. 主页中添加退出链接
    <a href="/signOut">退出</a>
    复制代码
  1. 配置MerryyouSecurityConfig
    ......
    				.and()
                    .logout()
                    .logoutUrl("/signOut")//自定义退出的地址
                    .logoutSuccessUrl("/register")//退出之后跳转到注册页面
                    .deleteCookies("JSESSIONID")//删除当前的JSESSIONID
                    .and()
    ......
    复制代码

效果如下

202105291531133901.png https://user-gold-cdn.xitu.io/2018/1/18/16108afa77d2051e?w=1012&h=651&f=gif&s=1286199

源码分析

LogoutFilter#doFilter

    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
    			throws IOException, ServletException {
    		HttpServletRequest request = (HttpServletRequest) req;
    		HttpServletResponse response = (HttpServletResponse) res;
    		//#1.匹配到/logout请求
    		if (requiresLogout(request, response)) {
    			Authentication auth = SecurityContextHolder.getContext().getAuthentication();
    
    			if (logger.isDebugEnabled()) {
    				logger.debug("Logging out user '" + auth
    						+ "' and transferring to logout destination");
    			}
    			//#2.处理1-4步
    			this.handler.logout(request, response, auth);
    			//#3.重定向到注册界面
    			logoutSuccessHandler.onLogoutSuccess(request, response, auth);
    
    			return;
    		}
    
    		chain.doFilter(request, response);
    	}
    复制代码
  1. 匹配当前拦截的请求
  2. 处理 清空Cookieremember-mesessionSecurityContext
  3. 重定向到登录界面

handler

202105291531175782.png https://user-gold-cdn.xitu.io/2018/1/18/16108afa7517f33a?w=608&h=337&f=png&s=45158

  1. CookieClearingLogoutHandler清空Cookie
  2. PersistentTokenBasedRememberMeServices清空remember-me
  3. SecurityContextLogoutHandler 使当前session无效,清空当前的SecurityContext
CookieClearingLogoutHandler#logout
    public void logout(HttpServletRequest request, HttpServletResponse response,
    			Authentication authentication) {
    		for (String cookieName : cookiesToClear) {
    			//# 1.Cookie置为null
    			Cookie cookie = new Cookie(cookieName, null);
    			String cookiePath = request.getContextPath();
    			if (!StringUtils.hasLength(cookiePath)) {
    				cookiePath = "/";
    			}
    			cookie.setPath(cookiePath);
    			cookie.setMaxAge(0);
    			response.addCookie(cookie);
    		}
    	}
    复制代码
  1. Cookie置为null

PersistentTokenBasedRememberMeServices#logout

    public void logout(HttpServletRequest request, HttpServletResponse response,
    			Authentication authentication) {
    		super.logout(request, response, authentication);
    
    		if (authentication != null) {
    			//#1.清空persistent_logins表中记录
    			tokenRepository.removeUserTokens(authentication.getName());
    		}
    	}
    复制代码
  1. 清空persistent_logins表中记录

SecurityContextLogoutHandler#logout

    public void logout(HttpServletRequest request, HttpServletResponse response,
    			Authentication authentication) {
    		Assert.notNull(request, "HttpServletRequest required");
    		if (invalidateHttpSession) {
    			HttpSession session = request.getSession(false);
    			if (session != null) {
    				logger.debug("Invalidating session: " + session.getId());
    				//#1.使当前session失效
    				session.invalidate();
    			}
    		}
    
    		if (clearAuthentication) {
    			SecurityContext context = SecurityContextHolder.getContext();
    			//#2.清空当前的`SecurityContext`
    			context.setAuthentication(null);
    		}
    
    		SecurityContextHolder.clearContext();
    	}
    复制代码
  1. 使当前session失效
  2. 清空当前的SecurityContext

AbstractAuthenticationTargetUrlRequestHandler#handle

    	protected void handle(HttpServletRequest request, HttpServletResponse response,
    			Authentication authentication) throws IOException, ServletException {
    		//#1.获取配置的跳转地址
    		String targetUrl = determineTargetUrl(request, response);
    
    		if (response.isCommitted()) {
    			logger.debug("Response has already been committed. Unable to redirect to "
    					+ targetUrl);
    			return;
    		}
    		//#2.跳转请求
    		redirectStrategy.sendRedirect(request, response, targetUrl);
    	}
    复制代码
  1. 获取配置的跳转地址
  2. 跳转请求

代码下载

从我的 github 中下载,github.com/longfeizhen…

点赞(0)
版权归原创作者所有,任何形式转载请联系作者; Java 技术驿站 >> Spring Security源码分析八:Spring Security 退出
上一篇
Spring Security源码分析七:Spring Security 记住我
下一篇
Spring Security源码分析九:Spring Security Session管理