[英]Invalidate session (logout) in Spring Boot MVC app
I am trying most simple way of logging in and logging out in Spring MVC
.我正在尝试在
Spring MVC
中登录和注销的最简单方法。 I am .NET guy and when I remember I implemented session authentication in ASP.NET
in no time.我是 .NET 人,当我记得我立即在
ASP.NET
中实现了会话身份验证。 Now, I have to use Spring MVC
and problem I facing is that I get different session object in my logout
method, so I can't inalidate it.现在,我必须使用
Spring MVC
,我面临的问题是我在logout
方法中获得了不同的会话对象,因此我无法对其进行无效化。 I am creating session attribute in login
method and the place where I use my logic is inside my ProductsController
.我在
login
方法中创建 session 属性,我使用逻辑的地方在我的ProductsController
。 Here is code:这是代码:
Login method:登录方式:
@PostMapping
@RequestMapping(value = {"login"},method = RequestMethod.POST)
public ResponseEntity Login(@RequestBody @Valid LoginModel user, HttpServletRequest request,HttpSession session){
List<User> userFromDb=service.findByEmailAndPassword(user.getEmail(),user.getPassword());
if(!userFromDb.isEmpty()){
session.setAttribute("loggedInUser", user );
return new ResponseEntity(HttpStatus.OK);
}
return new ResponseEntity(HttpStatus.UNAUTHORIZED);
}
Logout method:登出方法:
@GetMapping
@RequestMapping(value = {"logout"},method = RequestMethod.GET)
public ResponseEntity Logout(HttpServletRequest request, SessionStatus
status,HttpSession session, HttpServletResponse response){
session.invalidate();
// request.getSession(true).removeAttribute("loggedInUser");
//
// request.getSession(true).invalidate();
Cookie[] cookies = request.getCookies();
if(cookies!=null) {
for (Cookie cookie : cookies) {
cookie.setMaxAge(0);
cookie.setValue(null);
cookie.setPath("/");
response.addCookie(cookie);
}
}
return new ResponseEntity(HttpStatus.OK);
}
Products controller:产品控制器:
RequestMapping(value = {"","/"},method = RequestMethod.GET)
@GetMapping
public ResponseEntity Products(HttpServletRequest request, HttpSession session){
if(session==null || session.getAttribute("loggedInUser")==null){
return new ResponseEntity(HttpStatus.UNAUTHORIZED);
}
List<Product> products= service.getAll();
return new ResponseEntity(products,HttpStatus.OK);
}
I can log in and user is saved in session.我可以登录并且用户保存在会话中。 However when I logout I can still visit my products page which means that session was not cleared out.
但是,当我注销时,我仍然可以访问我的产品页面,这意味着该会话没有被清除。
If that is important I am using react app on craeted using create-react-app
frontend on port localhost:3000
and my server is on localhost:8080
.如果这很重要,我将在端口
localhost:3000
上使用create-react-app
前端在 craeted 上使用 react app,而我的服务器在localhost:8080
。
Use the spring security constraints and logout config , inside your WebSecurityConfigurerAdapter
config class (implementation) :在
WebSecurityConfigurerAdapter
配置类(实现)中使用 spring 安全约束和注销配置:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
.
...
...
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/login*").permitAll()
.anyRequest().authenticated()
.anyRequest().authenticated()
....
.
.
.and()
.logout()
.invalidateHttpSession(true)
.deleteCookies("JSESSIONID")
}
...
...
...
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.