[英]How to logout with GET request in SpringBoot WebFlux
How do i configure securityWebFilterChain(ServerHttpSecurity http)
so that my application logs out on GET /logout
?我如何配置securityWebFilterChain(ServerHttpSecurity http)
以便我的应用程序在GET /logout
上GET /logout
?
I have SpringBoot 2
Spring 5
and WebFlux
我有SpringBoot 2
Spring 5
和WebFlux
I tried:我试过:
http
.logout()
.requiresLogout(ServerWebExchangeMatchers.pathMatchers(HttpMethod.GET, "/logout"))
.logoutSuccessHandler(logoutSuccessHandler("/after-life"))
Problem is, a LogoutPageGeneratingWebFilter
sits earlier than the LogoutWebFilter
in the emitted SecurityWebFilterChain
.问题是, LogoutPageGeneratingWebFilter
比发出的SecurityWebFilterChain
的LogoutWebFilter
更早。 In that there is a hardcoded .pathMatchers(HttpMethod.GET, "/logout")
- which causes my application to always emit a html page on a GET request.其中有一个硬编码的.pathMatchers(HttpMethod.GET, "/logout")
- 这导致我的应用程序总是在 GET 请求上发出一个 html 页面。
I found no way to suppress the automatic logout page generation :(我发现没有办法抑制自动注销页面的生成:(
As mentioned in the documentation ,如文档中所述,
The default is that Spring Security will generate a log in page at "/login" and a log out page at "/logout".默认情况下,Spring Security 将在“/login”处生成一个登录页面,在“/logout”处生成一个注销页面。 If this is customized: The default log in & log out page are no longer provided The application must render a log in page at the provided URL The application must render an authentication error page at the provided URL + "?error" Authentication will occur for POST to the provided URL如果这是自定义的: 不再提供默认的登录和注销页面 应用程序必须在提供的 URL 处呈现登录页面 应用程序必须在提供的 URL 处呈现身份验证错误页面 + “?error” 身份验证将发生POST 到提供的 URL
Custom configuration to have default login and without default logout.自定义配置具有默认登录和没有默认注销。
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity httpSecurity){
LoginPageGeneratingWebFilter loginpage= new LoginPageGeneratingWebFilter();
loginpage.setFormLoginEnabled(true);
return httpSecurity
.addFilterAt(loginpage, SecurityWebFiltersOrder.LOGIN_PAGE_GENERATING)
.authorizeExchange()
.pathMatchers("/home").authenticated()
.and().formLogin()
.loginPage("/login")
.and()
.logout()
.logoutUrl("/logout").requiresLogout(ServerWebExchangeMatchers.pathMatchers(HttpMethod.GET, "/logout"))
.and()
.build();
}
I have the same problem but I am using OAuth2Login and the application is behind a reverse proxy with stripping a prefix and with using a ForwardedHeaderTransformer
.我有同样的问题,但我使用的是 OAuth2Login 并且该应用程序位于反向代理后面,剥离了前缀并使用了ForwardedHeaderTransformer
。 Everything works good but a logout page has hardcoded path /logout
so there is no way how to add custom prefix.一切正常,但注销页面具有硬编码路径/logout
因此无法添加自定义前缀。 And my solution is change logout url to /logout-oidc
我的解决方案是将注销 url 更改为/logout-oidc
http.logout(logout -> logout
.requiresLogout(ServerWebExchangeMatchers.pathMatchers(HttpMethod.GET, "/logout-oidc"));
It is bad that there isn't method setLogoutPageGenerating(boolean enable)
which can disable LogoutPageGeneratingWebFilter
糟糕的是,没有可以禁用LogoutPageGeneratingWebFilter
方法setLogoutPageGenerating(boolean enable)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.