问题
I have a spring configuration for logout like follows:
<logout logout-url="/abc/logout"
logout-success-url="/abc/login"/>
Now I want to do programmatically logout. How I can achieve this in Spring 3. I need to do logout from one of my controller which has the following def. and currently I am doing something like following...Is this a good idea..
public void suppressUserProfile() {
//...
return "redirect:/abc/logout";
}
回答1:
It depends. If it's ok for your app to place the logged out user on the "you have been logged out" page then this may be ok. But you can't be sure if your user will really be logged out (e.g. if the browser is suppressing the redirect).
Programmatically you can log out this way:
public void logout(HttpServletRequest request, HttpServletResponse response) {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (auth != null){
new SecurityContextLogoutHandler().logout(request, response, auth);
}
SecurityContextHolder.getContext().setAuthentication(null);
}
As @LateralFractal pointed out, if you haven't changed the defaults of the SecurityContextLogoutHandler (see https://github.com/spring-projects/spring-security/blob/3.2.x/web/src/main/java/org/springframework/security/web/authentication/logout/SecurityContextLogoutHandler.java#L96 ) you can cut this down to
public void logout(HttpServletRequest request) {
new SecurityContextLogoutHandler().logout(request, null, null);
}
or even (although it's a bit ugly)
public void logout() {
HttpServletRequest request =
((ServletRequestAttributes)RequestContextHolder.getRequestAttributes())
.getRequest();
new SecurityContextLogoutHandler().logout(request, null, null);
See https://stackoverflow.com/a/9767869/1686330 for some background on getting the HttpServletRequest.
回答2:
HttpSession session = request.getSession();
session.invalidate();
SecurityContextHolder.clearContext();
来源:https://stackoverflow.com/questions/18957445/how-to-perform-logout-programmatically-in-spring-3