问题
I am following the Spring guide at https://github.com/spring-guides/tut-spring-boot-oauth2/tree/master/logout and applying that to my own example application. I authenticate via GitHub oauth2 app.
If I log out, I expect not to be able to access protected url's after but I can. I am not sure how to debug this because so much is built in and I "just" have to extend the http configuration to handle logout. I would expect to have to authenticate again or at least for the application to get (silently) another token from GitHub, assuming I am still authenticated there. But if I log out of GitHub directly, it will still work. Which suggests that the token is not being removed. So is logout() in the code below being called? (I think it is because if I change the logoutSuccessfulUrl from "/" to "/fred" then that gives an error so something is happening)
So the question is, after logout, how do I make subsequent requests at least go to the "click for GitHub auth" link in my app?
WebSecurityConfiguration.java
@Configuration
//@EnableEurekaClient
@EnableOAuth2Sso
@PropertySources(
{
@PropertySource("classpath:application-github.properties")
}
)
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
// .csrf()
// .disable()
.antMatcher("/**")
.authorizeRequests()
.antMatchers("/", "/login**", "/unpkg.com/**", "/cdn.jsdelivr.net","/error**","/*.js","/*.css")
.permitAll()
.anyRequest()
.authenticated()
.and()
.logout()
.logoutSuccessUrl("/")
.permitAll()
.and()
.csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
}
}
来源:https://stackoverflow.com/questions/57216597/spring-security-logout-what-is-supposed-to-happen