如何在 Spring Boot WebFlux 中使用 GET 请求注销
How to logout with GET request in SpringBoot WebFlux
如何配置 securityWebFilterChain(ServerHttpSecurity http) 以便我的应用程序在 GET /logout 上注销?
我有 SpringBoot 2 Spring 5 和 WebFlux
我试过了:
http
.logout()
.requiresLogout(ServerWebExchangeMatchers.pathMatchers(HttpMethod.GET, "/logout"))
.logoutSuccessHandler(logoutSuccessHandler("/after-life"))
问题是,LogoutPageGeneratingWebFilter 比发出的 SecurityWebFilterChain 中的 LogoutWebFilter 更早。因为有一个硬编码的 .pathMatchers(HttpMethod.GET, "/logout") - 这导致我的应用程序总是在 GET 请求上发出一个 html 页面。
我找不到抑制自动注销页面生成的方法:(
如文档、
中所述
The default is that Spring Security will generate a log in page at "/login" and a log out page at "/logout". If this is customized:
The default log in & log out page are no longer provided
The application must render a log in page at the provided URL
The application must render an authentication error page at the provided URL + "?error"
Authentication will occur for POST to the provided URL
自定义配置 有默认登录,没有默认注销。
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity httpSecurity){
LoginPageGeneratingWebFilter loginpage= new LoginPageGeneratingWebFilter();
loginpage.setFormLoginEnabled(true);
return httpSecurity
.addFilterAt(loginpage, SecurityWebFiltersOrder.LOGIN_PAGE_GENERATING)
.authorizeExchange()
.pathMatchers("/home").authenticated()
.and().formLogin()
.loginPage("/login")
.and()
.logout()
.logoutUrl("/logout").requiresLogout(ServerWebExchangeMatchers.pathMatchers(HttpMethod.GET, "/logout"))
.and()
.build();
}
我有同样的问题,但我使用的是 OAuth2Login,并且应用程序在反向代理后面,去除了前缀并使用了 ForwardedHeaderTransformer。一切正常,但注销页面具有硬编码路径 /logout,因此无法添加自定义前缀。我的解决方案是将注销 url 更改为 /logout-oidc
http.logout(logout -> logout
.requiresLogout(ServerWebExchangeMatchers.pathMatchers(HttpMethod.GET, "/logout-oidc"));
可惜没有方法setLogoutPageGenerating(boolean enable)可以禁用LogoutPageGeneratingWebFilter
如何配置 securityWebFilterChain(ServerHttpSecurity http) 以便我的应用程序在 GET /logout 上注销?
我有 SpringBoot 2 Spring 5 和 WebFlux
我试过了:
http
.logout()
.requiresLogout(ServerWebExchangeMatchers.pathMatchers(HttpMethod.GET, "/logout"))
.logoutSuccessHandler(logoutSuccessHandler("/after-life"))
问题是,LogoutPageGeneratingWebFilter 比发出的 SecurityWebFilterChain 中的 LogoutWebFilter 更早。因为有一个硬编码的 .pathMatchers(HttpMethod.GET, "/logout") - 这导致我的应用程序总是在 GET 请求上发出一个 html 页面。
我找不到抑制自动注销页面生成的方法:(
如文档、
中所述The default is that Spring Security will generate a log in page at "/login" and a log out page at "/logout". If this is customized: The default log in & log out page are no longer provided The application must render a log in page at the provided URL The application must render an authentication error page at the provided URL + "?error" Authentication will occur for POST to the provided URL
自定义配置 有默认登录,没有默认注销。
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity httpSecurity){
LoginPageGeneratingWebFilter loginpage= new LoginPageGeneratingWebFilter();
loginpage.setFormLoginEnabled(true);
return httpSecurity
.addFilterAt(loginpage, SecurityWebFiltersOrder.LOGIN_PAGE_GENERATING)
.authorizeExchange()
.pathMatchers("/home").authenticated()
.and().formLogin()
.loginPage("/login")
.and()
.logout()
.logoutUrl("/logout").requiresLogout(ServerWebExchangeMatchers.pathMatchers(HttpMethod.GET, "/logout"))
.and()
.build();
}
我有同样的问题,但我使用的是 OAuth2Login,并且应用程序在反向代理后面,去除了前缀并使用了 ForwardedHeaderTransformer。一切正常,但注销页面具有硬编码路径 /logout,因此无法添加自定义前缀。我的解决方案是将注销 url 更改为 /logout-oidc
http.logout(logout -> logout
.requiresLogout(ServerWebExchangeMatchers.pathMatchers(HttpMethod.GET, "/logout-oidc"));
可惜没有方法setLogoutPageGenerating(boolean enable)可以禁用LogoutPageGeneratingWebFilter