做数学题好的网站互联网营销师教材
spring security自定义登出页面
文档
- 00 - spring security框架使用
- 01 - spring security自定义登录页面
- 02 - spring security基于配置文件及内存的账号密码
自定义登出页面
调整配置类WebSecurityConfig.java
package xin.yangshuai.springsecurity03.config;import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.config.annotation.web.configurers.FormLoginConfigurer;
import org.springframework.security.config.annotation.web.configurers.LogoutConfigurer;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.SecurityFilterChain;@Configuration
// @EnableWebSecurity
public class WebSecurityConfig {@Beanpublic UserDetailsService userDetailsService() {InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();// 此时配置文件中的用户名和密码将不可用manager.createUser(User.withDefaultPasswordEncoder().username("user").password("password").roles("USER").build());return manager;}@Beanpublic SecurityFilterChain filterChain(HttpSecurity http) throws Exception {// 开启授权保护http.authorizeRequests(new Customizer<ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry>() {@Overridepublic void customize(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry expressionInterceptUrlRegistry) {expressionInterceptUrlRegistry// 对所有请求开启授权保护.anyRequest()// 已经认证的请求会被自动授权.authenticated();}});// 自定义登录页面http.formLogin(new Customizer<FormLoginConfigurer<HttpSecurity>>() {@Overridepublic void customize(FormLoginConfigurer<HttpSecurity> httpSecurityFormLoginConfigurer) {// 自定义登录页,并且设置无需授权允许访问httpSecurityFormLoginConfigurer.loginPage("/login").permitAll();// 配置自定义表单的用户名参数,默认值:usernamehttpSecurityFormLoginConfigurer.usernameParameter("myusername");// 配置自定义表单的密码参数,默认值:passwordhttpSecurityFormLoginConfigurer.passwordParameter("mypassword");// 校验失败时跳转的地址,默认值:/login?errorhttpSecurityFormLoginConfigurer.failureUrl("/login?error");}});// 自定义登出页面http.logout(new Customizer<LogoutConfigurer<HttpSecurity>>() {@Overridepublic void customize(LogoutConfigurer<HttpSecurity> httpSecurityLogoutConfigurer) {// 自定义登出页httpSecurityLogoutConfigurer.logoutUrl("/logout");// 自定义登出成功后跳转的页面httpSecurityLogoutConfigurer.logoutSuccessUrl("/");}});return http.build();}
}logoutUrl("/logout")表示未授权时,会跳转到GET /logout接口,因此需要对GET /logout接口响应自定义的登出页面logoutSuccessUrl("/")表示登出成功后,跳转的页面- 如果关闭csrf攻击防御,则
GET /logout即表示退出请求,将直接执行退出操作,并不会跳转到自定义的登出页面
配置登出页面接口
package xin.yangshuai.springsecurity03.controller;import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;@Controller
public class LoginController {@GetMapping("login")public String login() {return "login";}@GetMapping("logout")public String logout() {return "logout";}
}配置登出页面
根据thymeleaf模板引擎,页面位置:src/main/resources/templates/logout.html
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<head><meta charset="UTF-8"><title>登出</title>
</head>
<body>
<h1>登出</h1>
<form th:action="@{/logout}" method="post"><input type="submit" value="登出">
</form>
</body>
</html>
- 提交表单会默认加上
_csrf参数,防止csrf攻击,这个与配置有关 POST /logout是默认的登出请求接口,登出成功后跳转配置的页面
注意
- 如果关闭csrf攻击防御,则
GET /logout即表示退出请求,将直接执行退出操作,并不会跳转到自定义的登出页面