stackoom
  简体   繁体   中英

How to logout with GET request in SpringBoot WebFlux

 原文  2019-05-27 11:46:50       java/ spring-boot/ spring-security/ spring-webflux

Question

How do i configure securityWebFilterChain(ServerHttpSecurity http) so that my application logs out on GET /logout ?

I have SpringBoot 2 Spring 5 and WebFlux

I tried:

  http
    .logout()
      .requiresLogout(ServerWebExchangeMatchers.pathMatchers(HttpMethod.GET, "/logout"))
      .logoutSuccessHandler(logoutSuccessHandler("/after-life"))

Problem is, a LogoutPageGeneratingWebFilter sits earlier than the LogoutWebFilter in the emitted SecurityWebFilterChain . In that there is a hardcoded .pathMatchers(HttpMethod.GET, "/logout") - which causes my application to always emit a html page on a GET request.

I found no way to suppress the automatic logout page generation :(

2 answers

solution1
 4 ACCPTED  2019-05-27 14:51:41

As mentioned in the documentation ,

The default is that Spring Security will generate a log in page at "/login" and a log out page at "/logout". If this is customized: The default log in & log out page are no longer provided The application must render a log in page at the provided URL The application must render an authentication error page at the provided URL + "?error" Authentication will occur for POST to the provided URL

Custom configuration to have default login and without default logout.

    @Bean
    public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity httpSecurity){

        LoginPageGeneratingWebFilter loginpage= new LoginPageGeneratingWebFilter();
        loginpage.setFormLoginEnabled(true);
        return httpSecurity
                .addFilterAt(loginpage, SecurityWebFiltersOrder.LOGIN_PAGE_GENERATING)
                .authorizeExchange()
                    .pathMatchers("/home").authenticated()
                        .and().formLogin()                      
                            .loginPage("/login")                         
                        .and()
                        .logout()
                        .logoutUrl("/logout").requiresLogout(ServerWebExchangeMatchers.pathMatchers(HttpMethod.GET, "/logout"))
                        .and()

                .build();

    }

solution2
 2  2020-04-01 13:15:15

I have the same problem but I am using OAuth2Login and the application is behind a reverse proxy with stripping a prefix and with using a ForwardedHeaderTransformer . Everything works good but a logout page has hardcoded path /logout so there is no way how to add custom prefix. And my solution is change logout url to /logout-oidc

http.logout(logout -> logout
            .requiresLogout(ServerWebExchangeMatchers.pathMatchers(HttpMethod.GET, "/logout-oidc"));

It is bad that there isn't method setLogoutPageGenerating(boolean enable) which can disable LogoutPageGeneratingWebFilter

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Redirect /logout request to /api/logout webflux spring boot How to do Exception Handling for WebFlux using Springboot? How to get request body from ServerRequest object in Spring WebFlux reactive? How to skip the Paging attributes in Get Request in Springboot How to get unknown request parameter in @RequestParam SpringBoot How to interact with multiple keyspaces with reactive Cassandra repositories in java Springboot WebFlux? Get request attribute with Spring webflux and WebTestClient Parallel GET Request to specific mapping with WebFlux How to get locale in Spring WebFlux? mongo uri for springboot get request
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM