Logout
Spring Security 默认提供注销端点。登录后,你可以 GET /logout
查看默认的注销确认页面,或 POST /logout
初始化注销。它将:
-
清除
ServerCsrfTokenRepository
、`ServerSecurityContextRepository`以及 -
重定向回登录页面
在注销时,通常还想使会话失效。为实现它,可以将 WebSessionServerLogoutHandler
添加到注销配置中,如下所示:
-
Java
-
Kotlin
@Bean
SecurityWebFilterChain http(ServerHttpSecurity http) throws Exception {
DelegatingServerLogoutHandler logoutHandler = new DelegatingServerLogoutHandler(
new SecurityContextServerLogoutHandler(), new WebSessionServerLogoutHandler()
);
http
.authorizeExchange((exchange) -> exchange.anyExchange().authenticated())
.logout((logout) -> logout.logoutHandler(logoutHandler));
return http.build();
}
@Bean
fun http(http: ServerHttpSecurity): SecurityWebFilterChain {
val customLogoutHandler = DelegatingServerLogoutHandler(
SecurityContextServerLogoutHandler(), WebSessionServerLogoutHandler()
)
return http {
authorizeExchange {
authorize(anyExchange, authenticated)
}
logout {
logoutHandler = customLogoutHandler
}
}
}