Spring Security之注销登录

Spring Security支持在继承WebSecurityConfigurerAdapter的配置类中配置注销登录：

HttpSecurity内的logout（）方法以一个LogoutConfigurer作为配置基础，创建一个用于注销登录的过滤器:
HttpSecurity:

public LogoutConfigurer<HttpSecurity> logout() throws Exception { return (LogoutConfigurer)this.getOrApply(new LogoutConfigurer()); } public HttpSecurity logout(Customizer<LogoutConfigurer<HttpSecurity>> logoutCustomizer) throws Exception { logoutCustomizer.customize(this.getOrApply(new LogoutConfigurer())); return this; }

LogoutConfigurer:

public void configure(H http) throws Exception { LogoutFilter logoutFilter = this.createLogoutFilter(http); http.addFilter(logoutFilter); } private LogoutFilter createLogoutFilter(H http) { this.logoutHandlers.add(this.contextLogoutHandler); this.logoutHandlers.add(this.postProcess(new LogoutSuccessEventPublishingLogoutHandler())); LogoutHandler[] handlers = (LogoutHandler[])this.logoutHandlers.toArray(new LogoutHandler[0]); LogoutFilter result = new LogoutFilter(this.getLogoutSuccessHandler(), handlers); result.setLogoutRequestMatcher(this.getLogoutRequestMatcher(http)); result = (LogoutFilter)this.postProcess(result); return result; }

它默认注册了一个/logout路由，用户通过访问该路由可以安全地注销其登录状态，包括使HttpSession失效、清空已配置的Remember-me验证，以及清空SecurityContextHolder，并在注销成功之后重定向到/login?logout页面。

如有必要，还可以重新配置：