简体   繁体   English

使 Spring Boot MVC 应用程序中的会话无效(注销)

[英]Invalidate session (logout) in Spring Boot MVC app

I am trying most simple way of logging in and logging out in Spring MVC .我正在尝试在Spring MVC中登录和注销的最简单方法。 I am .NET guy and when I remember I implemented session authentication in ASP.NET in no time.我是 .NET 人,当我记得我立即在ASP.NET中实现了会话身份验证。 Now, I have to use Spring MVC and problem I facing is that I get different session object in my logout method, so I can't inalidate it.现在,我必须使用Spring MVC ,我面临的问题是我在logout方法中获得了不同的会话对象,因此我无法对其进行无效化。 I am creating session attribute in login method and the place where I use my logic is inside my ProductsController .我在login方法中创建 session 属性,我使用逻辑的地方在我的ProductsController Here is code:这是代码:

Login method:登录方式:

 @PostMapping
    @RequestMapping(value = {"login"},method = RequestMethod.POST)
    public ResponseEntity Login(@RequestBody @Valid LoginModel user, HttpServletRequest request,HttpSession session){



        List<User> userFromDb=service.findByEmailAndPassword(user.getEmail(),user.getPassword());
        if(!userFromDb.isEmpty()){
            session.setAttribute("loggedInUser", user );
            return new ResponseEntity(HttpStatus.OK);
        }
        return new ResponseEntity(HttpStatus.UNAUTHORIZED);
    }

Logout method:登出方法:

 @GetMapping
   @RequestMapping(value = {"logout"},method = RequestMethod.GET)
   public ResponseEntity Logout(HttpServletRequest request, SessionStatus 
 status,HttpSession session, HttpServletResponse response){

    session.invalidate();
//        request.getSession(true).removeAttribute("loggedInUser");
//
//        request.getSession(true).invalidate();
    Cookie[] cookies = request.getCookies();
    if(cookies!=null) {
        for (Cookie cookie : cookies) {
            cookie.setMaxAge(0);
            cookie.setValue(null);
            cookie.setPath("/");
            response.addCookie(cookie);
        }
    }
    return new ResponseEntity(HttpStatus.OK);
}

Products controller:产品控制器:

RequestMapping(value = {"","/"},method = RequestMethod.GET)
    @GetMapping
    public ResponseEntity Products(HttpServletRequest request, HttpSession session){

        if(session==null || session.getAttribute("loggedInUser")==null){
            return new ResponseEntity(HttpStatus.UNAUTHORIZED);
        }
        List<Product> products= service.getAll();
        return new ResponseEntity(products,HttpStatus.OK);
    }

I can log in and user is saved in session.我可以登录并且用户保存在会话中。 However when I logout I can still visit my products page which means that session was not cleared out.但是,当我注销时,我仍然可以访问我的产品页面,这意味着该会话没有被清除。

If that is important I am using react app on craeted using create-react-app frontend on port localhost:3000 and my server is on localhost:8080 .如果这很重要,我将在端口localhost:3000上使用create-react-app前端在 craeted 上使用 react app,而我的服务器在localhost:8080

Use the spring security constraints and logout config , inside your WebSecurityConfigurerAdapter config class (implementation) :WebSecurityConfigurerAdapter配置类(实现)中使用 spring 安全约束和注销配置:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    .
    ...
    ...
    @Override
    protected void configure(HttpSecurity http) throws Exception {
         http
          .csrf().disable()
          .authorizeRequests()
          .antMatchers("/login*").permitAll()
          .anyRequest().authenticated()  
          .anyRequest().authenticated()
          ....
          .
          .
          .and()
          .logout()
          .invalidateHttpSession(true)
          .deleteCookies("JSESSIONID")

    }
    ...
    ...
    ...    
}

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM