下面的配置代码不适用于注销。注销后我仍然可以访问受限制的网址。
@Autowired 客户端注册存储库 客户端注册存储库;
OidcClientInitiatedLogoutSuccessHandler oidcLogoutSuccessHandler() {
OidcClientInitiatedLogoutSuccessHandler successHandler = new OidcClientInitiatedLogoutSuccessHandler(clientRegistrationRepository);
//successHandler.setPostLogoutRedirectUri(URI.create("http://localhost:8081/"));
successHandler.setPostLogoutRedirectUri("{baseUrl}");
return successHandler;
}
@覆盖
public void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.authorizeRequests()
.antMatchers("/","/error").permitAll()
.anyRequest().authenticated()
.and().logout().logoutSuccessHandler(oidcLogoutSuccessHandler())
.and().logout().invalidateHttpSession(true) .clearAuthentication(true).logoutSuccessUrl("/").deleteCookies("JSESSIONID").permitAll().and().csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.and().oauth2Login()
.redirectionEndpoint()
.baseUri("/api/v1/oauth/callback");
}
您使用
logout().invalidateHttpSession(true)
。也许你可以尝试添加
logout().deleteCookies("cookie-names-to-clear")
也许这个答案可以帮助