我正在使用QuickStart for auth0 with Spring Boot 2,但是我的项目使用的是Sping Boot 3,在更改了过时的方法后,logout不再起作用。
安全配置:
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
@EnableWebSecurity
public class SecurityConfig {
private final LogoutHandler logoutHandler;
public SecurityConfig(LogoutHandler logoutHandler) {
this.logoutHandler = logoutHandler;
}
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests()
.requestMatchers("/images/**").permitAll()
.anyRequest().authenticated()
.and().oauth2Login()
.and().logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.addLogoutHandler(logoutHandler);
return http.build();
}
}注销处理程序:
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
import org.springframework.stereotype.Controller;
import org.springframework.web.servlet.support.ServletUriComponentsBuilder;
import org.springframework.web.util.UriComponentsBuilder;
import java.io.IOException;
@Controller
public class LogoutHandler extends SecurityContextLogoutHandler {
private final Logger log = LoggerFactory.getLogger(this.getClass());
private final ClientRegistrationRepository clientRegistrationRepository;
@Autowired
public LogoutHandler(ClientRegistrationRepository clientRegistrationRepository) {
this.clientRegistrationRepository = clientRegistrationRepository;
}
@Override
public void logout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse,
Authentication authentication) {
super.logout(httpServletRequest, httpServletResponse, authentication);
String issuer = (String) getClientRegistration().getProviderDetails().getConfigurationMetadata().get("issuer");
String clientId = getClientRegistration().getClientId();
String returnTo = ServletUriComponentsBuilder.fromCurrentContextPath().build().toString();
String logoutUrl = UriComponentsBuilder
.fromHttpUrl(issuer + "v2/logout?client_id={clientId}&returnTo={returnTo}")
.encode()
.buildAndExpand(clientId, returnTo)
.toUriString();
log.info("Will attempt to redirect to logout URL: {}", logoutUrl);
try {
httpServletResponse.sendRedirect(logoutUrl);
} catch (IOException ioe) {
log.error("Error redirecting to logout URL", ioe);
}
}
private ClientRegistration getClientRegistration() {
return this.clientRegistrationRepository.findByRegistrationId("auth0");
}
}当我注销时,我没有被重定向,它显示:You have been signed out但我仍然可以访问受保护的资源,如果转到我的/profile端点,我可以看到我的配置文件,就像我已登录一样。当我使用Sping Boot 2运行QuickStart时不会发生这种情况,我的所有配置都工作正常(客户端密码、客户端ID、发布者URI、回调和注销URL配置正确,并且对于Sping Boot 3应用程序是相同的,我仔细检查)。任何帮助将不胜感激,我找不到教程与Spring Boot 3和Auth 0。
1条答案
按热度按时间sg24os4d1#
我可以用Sping Boot 3.0.4来运行类似的应用程序。我使用的是最新的okta-spring-boot启动器,但我认为这并不重要。你可以尝试下面的方法来处理注销吗?