Spring Security退出登录(注销) 作者:马育民 • 2020-08-03 17:32 • 阅读:10051 # 介绍 如果 **开启csrf防攻击**,那么退出登录必须是`post`请求,而且要发送token 如果 **禁用csrf防攻击**,可以发送`get`、`post`请求 # 配置类 关键代码: ``` .logout() .logoutSuccessUrl("/login.html")//退出成功访问的页面 .invalidateHttpSession(true)//清空session .permitAll();//让logout部分的url可以任意访问 ``` 默认注销的url:`/logout` 完整代码: ``` package top.malaoshi.stdsecurity.config; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.crypto.password.NoOpPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.web.csrf.CookieCsrfTokenRepository; import top.malaoshi.stdsecurity.security.SLoginService; import javax.annotation.Resource; @Configuration @EnableWebSecurity //@EnableGlobalMethodSecurity(securedEnabled=true) public class WebSecurityConfig extends WebSecurityConfigurerAdapter { // 指定密码编码器,当前密码为明文 @Bean public PasswordEncoder passwordEncoder(){ // return new BCryptPasswordEncoder(); return NoOpPasswordEncoder.getInstance(); } // 登录service,自定义实现 @Resource private SLoginService sLoginService; // 指定使用自定义的登录service,并指定密码编码器 @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(sLoginService).passwordEncoder(passwordEncoder()); } @Override public void configure(WebSecurity web) throws Exception { web.ignoring().antMatchers("/css/**","/js/**","/img/**");//绕开所有的filter,直接跳过验证 } // 安全拦截机制 @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) .and() .authorizeRequests()//url权限配置 // .antMatchers("/index.html").permitAll() // 匹配这些路径可以所有人访问 .antMatchers("/dept/**").hasRole("admin") .antMatchers("/user/**").hasRole("admin") .anyRequest().authenticated() .and() //login部分 .formLogin() .loginPage("/login.html")//指定登录页面。所有url前面必须写/,否则报错 'xxx' is not a valid forward URL // .usernameParameter("user")//登录页面用户名控件name值 // .passwordParameter("pwd")//登录页面密码控件name值 .loginProcessingUrl("/login")//security提供的处理登录url,默认是/login // .successForwardUrl("/index.html")//登录成功后跳转的页面,需要额外处理才能使用,否则页面会提示错误 .defaultSuccessUrl("/index.html")//登录成功后重定向的页面 .failureUrl("/login_fails.html")//登录失败跳转的页面 // .failureForwardUrl("/login_fails.html")//登录失败不会转发 .permitAll()//让login部分的url可以任意访问 // // //logout部分 .and() .logout()//退出登录需要提交post请求 .logoutSuccessUrl("/login.html")//退出成功访问的页面 .invalidateHttpSession(true)//清空session .permitAll();//让logout部分的url可以任意访问 } } ``` # 注销页面 ``` <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Title</title> <script src="/js/js.cookie.min.js"></script> </head> <body> <script src="/js/js.cookie.min.js"></script> <form method="post" action="/logout"> <input id="_csrf" type="" name="_csrf" value=""> <input type="submit"> </form> <script> // alert(Cookies.get('XSRF-TOKEN')); document.getElementById("_csrf").value=Cookies.get('XSRF-TOKEN'); </script> </body> </html> ``` 讲解: - 如果是ajax,要发送`post`请求 - 如果开启csrf防攻击,要带上`_csrf `标识,提交post请求 原文出处:http://malaoshi.top/show_1EF60TobI7DZ.html