03 - spring security自定义登出页面

spring security自定义登出页面

文档

1. 00 - spring security框架使用
2. 01 - spring security自定义登录页面
3. 02 - spring security基于配置文件及内存的账号密码

自定义登出页面

调整配置类WebSecurityConfig.java

package xin.yangshuai.springsecurity03.config;import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.config.annotation.web.configurers.FormLoginConfigurer;
import org.springframework.security.config.annotation.web.configurers.LogoutConfigurer;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.SecurityFilterChain;@Configuration
// @EnableWebSecurity
public class WebSecurityConfig {@Beanpublic UserDetailsService userDetailsService() {InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();// 此时配置文件中的用户名和密码将不可用manager.createUser(User.withDefaultPasswordEncoder().username("user").password("password").roles("USER").build());return manager;}@Beanpublic SecurityFilterChain filterChain(HttpSecurity http) throws Exception {// 开启授权保护http.authorizeRequests(new Customizer<ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry>() {@Overridepublic void customize(ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry expressionInterceptUrlRegistry) {expressionInterceptUrlRegistry// 对所有请求开启授权保护.anyRequest()// 已经认证的请求会被自动授权.authenticated();}});// 自定义登录页面http.formLogin(new Customizer<FormLoginConfigurer<HttpSecurity>>() {@Overridepublic void customize(FormLoginConfigurer<HttpSecurity> httpSecurityFormLoginConfigurer) {// 自定义登录页，并且设置无需授权允许访问httpSecurityFormLoginConfigurer.loginPage("/login").permitAll();// 配置自定义表单的用户名参数，默认值：usernamehttpSecurityFormLoginConfigurer.usernameParameter("myusername");// 配置自定义表单的密码参数，默认值：passwordhttpSecurityFormLoginConfigurer.passwordParameter("mypassword");// 校验失败时跳转的地址，默认值：/login?errorhttpSecurityFormLoginConfigurer.failureUrl("/login?error");}});// 自定义登出页面http.logout(new Customizer<LogoutConfigurer<HttpSecurity>>() {@Overridepublic void customize(LogoutConfigurer<HttpSecurity> httpSecurityLogoutConfigurer) {// 自定义登出页httpSecurityLogoutConfigurer.logoutUrl("/logout");// 自定义登出成功后跳转的页面httpSecurityLogoutConfigurer.logoutSuccessUrl("/");}});return http.build();}
}

• logoutUrl("/logout")表示未授权时，会跳转到GET /logout接口，因此需要对GET /logout接口响应自定义的登出页面
• logoutSuccessUrl("/")表示登出成功后，跳转的页面
• 如果关闭csrf攻击防御，则GET /logout即表示退出请求，将直接执行退出操作，并不会跳转到自定义的登出页面

配置登出页面接口

package xin.yangshuai.springsecurity03.controller;import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;@Controller
public class LoginController {@GetMapping("login")public String login() {return "login";}@GetMapping("logout")public String logout() {return "logout";}
}

配置登出页面

根据thymeleaf模板引擎，页面位置：src/main/resources/templates/logout.html

<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<head><meta charset="UTF-8"><title>登出</title>
</head>
<body>
<h1>登出</h1>
<form th:action="@{/logout}" method="post"><input type="submit" value="登出">
</form>
</body>
</html>

• 提交表单会默认加上_csrf参数，防止csrf攻击，这个与配置有关
• POST /logout是默认的登出请求接口，登出成功后跳转配置的页面

注意

• 如果关闭csrf攻击防御，则GET /logout即表示退出请求，将直接执行退出操作，并不会跳转到自定义的登出页面