{"success":true,"code":0,"msg":"","data":{"themeEx":{"tid":630,"replies":2,"views":20875,"searchs":0,"topGmtUpdate":null,"top":false},"theme":{"id":630,"title":"Spring Security OAuth2 单点登录退出","content":"
最近在做项目的时候发现,使用Spring Security OAuth2作单点登录的时候,当客户端退出了,再次进入到服务端登录页面的时候,直接按之前的账号登录了。需要的逻辑应该是:站点1登录后,站点2能不输入用户名密码直接登录;当其中一个站点退出后,需要输入用户名密码重新登录。
在客户端的WebSecurityConfigurerAdapter中:
@Override\nprotected void configure(HttpSecurity http) throws Exception {\n http\n .logout()\n .logoutSuccessUrl("http://your-auth-server/oauth/exit");\n}
在服务端中:
@RequestMapping("oauth/exit")\npublic void exit(HttpServletRequest request, HttpServletResponse response) {\n new SecurityContextLogoutHandler().logout(request, null, null);\n try {\n System.out.println(request.getHeader("referer"));\n response.sendRedirect(request.getHeader("referer"));\n } catch (IOException e) {\n e.printStackTrace();\n }\n}
注:当http跳转到https的时候是没有referer的取到的是空的。
在服务端修改
@Autowired\nConsumerTokenServices tokenServices;\n \n@GetMapping("/tokens/revoke/{tokenId:.*}")\n@ResponseBody\npublic String revokeToken(@PathVariable String tokenId) {\n tokenServices.revokeToken(tokenId);\n return tokenId;\n}
或者
@FrameworkEndpoint\npublic class RevokeTokenEndpoint {\n\n @Autowired\n @Qualifier("consumerTokenServices")\n ConsumerTokenServices consumerTokenServices;\n\n @DeleteMapping("/oauth/token")\n @ResponseBody\n public String revokeToken(String access_token) {\n if (consumerTokenServices.revokeToken(access_token)){\n return "注销成功";\n }else{\n return "注销失败";\n }\n }\n}