如何从 Oauth2 SSO 服务器注销
How to Logout from Oauth2 SSO Server
我找到了关于 SSO https://github.com/dsyer/spring-security-angular/tree/master/oauth2 配置的教程
oauth2-authserver
@Configuration
@Order(-10)
protected static class LoginConfig extends WebSecurityConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.formLogin().loginPage("/login").permitAll()
.and()
.requestMatchers().antMatchers("/login", "/oauth/authorize", "/oauth/confirm_access")
.and()
.authorizeRequests().anyRequest().authenticated()
.and().sessionManagement();
// @formatter:on
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.parentAuthenticationManager(authenticationManager);
}
}
oauth2-ui
@Override
public void configure(HttpSecurity http) throws Exception {
http.logout().and().antMatcher("/**").authorizeRequests()
.antMatchers("/index.html", "/home.html", "/", "/login").permitAll()
.anyRequest().authenticated().and().csrf()
.csrfTokenRepository(csrfTokenRepository()).and()
.addFilterAfter(csrfHeaderFilter(), CsrfFilter.class);
}
我只需要我的 authserver 一次登录验证,所以当用户已经通过身份验证并重定向到 oauth2-ui 应用程序时,服务器中的身份验证登录已过期。
因此,当用户在 oauth2-ui 注销并尝试再次登录时,用户必须再次输入用户名和密码,因为服务器中的身份验证已过期。
抱歉我的英语不好,提前致谢!
如果您阅读博客 https://spring.io/blog/2015/02/03/sso-with-oauth2-angular-js-and-spring-security-part-v which actually explains the way of implementing the same type of security as you are doing (Actually you are just implementing the jwt version of almost the same thing. If you want the actual code of the blog the use oauth2-vanilla version of the same repo)... towards the end, It is clearly stated that "and it’s a notoriously tricky problem" (as written in the blog). There is actually a new release to the same series of blogs which solves your problem https://github.com/dsyer/spring-security-angular/tree/master/double。在此您可以看到如何在 spring-session 和实际存储您的会话的 redis 服务器的帮助下实现注销。祝一切顺利!如有任何疑问,请随时联系
我找到了关于 SSO https://github.com/dsyer/spring-security-angular/tree/master/oauth2 配置的教程
oauth2-authserver
@Configuration
@Order(-10)
protected static class LoginConfig extends WebSecurityConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.formLogin().loginPage("/login").permitAll()
.and()
.requestMatchers().antMatchers("/login", "/oauth/authorize", "/oauth/confirm_access")
.and()
.authorizeRequests().anyRequest().authenticated()
.and().sessionManagement();
// @formatter:on
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.parentAuthenticationManager(authenticationManager);
}
}
oauth2-ui
@Override
public void configure(HttpSecurity http) throws Exception {
http.logout().and().antMatcher("/**").authorizeRequests()
.antMatchers("/index.html", "/home.html", "/", "/login").permitAll()
.anyRequest().authenticated().and().csrf()
.csrfTokenRepository(csrfTokenRepository()).and()
.addFilterAfter(csrfHeaderFilter(), CsrfFilter.class);
}
我只需要我的 authserver 一次登录验证,所以当用户已经通过身份验证并重定向到 oauth2-ui 应用程序时,服务器中的身份验证登录已过期。 因此,当用户在 oauth2-ui 注销并尝试再次登录时,用户必须再次输入用户名和密码,因为服务器中的身份验证已过期。
抱歉我的英语不好,提前致谢!
如果您阅读博客 https://spring.io/blog/2015/02/03/sso-with-oauth2-angular-js-and-spring-security-part-v which actually explains the way of implementing the same type of security as you are doing (Actually you are just implementing the jwt version of almost the same thing. If you want the actual code of the blog the use oauth2-vanilla version of the same repo)... towards the end, It is clearly stated that "and it’s a notoriously tricky problem" (as written in the blog). There is actually a new release to the same series of blogs which solves your problem https://github.com/dsyer/spring-security-angular/tree/master/double。在此您可以看到如何在 spring-session 和实际存储您的会话的 redis 服务器的帮助下实现注销。祝一切顺利!如有任何疑问,请随时联系