iSharkFly-Docs
/
java-tutorials
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Bael 3970 (#9132) 

* Manual logout with Spring Security
- Basic manual logout
- logout with Clear Data Site Header

* Add missing annotation for controller. Change mapping URL value.

* Add intergration tests for manual logouts.

* BAEL-3970 - Add asserts on test. Fix tests names. Remove unused imports.

* BAEL-3970 - Use PostMapping annotation. Remove unnecessary information for security configuration.

* remove logout controllers

* Add multiple entrypoints configurations. Create custom handlers for different logouts (basic, cookie clearing, clear-site-data).

* Refactor configuration with lambda DSL.
This commit is contained in:
SippingCode 2020-04-30 08:16:05 +02:00 committed by GitHub
parent 9ae7596d5e
commit 2c99a832cd
4 changed files with 84 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
spring-5-security/src/main/java/com/baeldung/manuallogout/BasicAuthController.java
View File

@ -1,32 +0,0 @@
package com.baeldung.manuallogout;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
@Controller
public class BasicAuthController {
@RequestMapping(value = {"/basiclogout"}, method = RequestMethod.POST)
public String logout(HttpServletRequest request, HttpServletResponse response) {
HttpSession session;
SecurityContextHolder.clearContext();
session = request.getSession(false);
if (session != null) {
session.invalidate();
}
for (Cookie cookie : request.getCookies()) {
String cookieName = cookie.getName();
Cookie cookieToDelete = new Cookie(cookieName, null);
cookieToDelete.setMaxAge(0);
response.addCookie(cookieToDelete);
}
return "redirect:/login?logout";
}
}

29
spring-5-security/src/main/java/com/baeldung/manuallogout/ClearSiteDataController.java
View File

@ -1,29 +0,0 @@
package com.baeldung.manuallogout;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.logout.HeaderWriterLogoutHandler;
import org.springframework.security.web.header.writers.ClearSiteDataHeaderWriter;
import org.springframework.security.web.header.writers.ClearSiteDataHeaderWriter.Directive;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@Controller
public class ClearSiteDataController {
Directive[] SOURCE = {Directive.COOKIES, Directive.STORAGE, Directive.EXECUTION_CONTEXTS, Directive.CACHE};
@RequestMapping(value = {"/csdlogout"}, method = RequestMethod.POST)
public String logout(HttpServletRequest request, HttpServletResponse response) {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (auth != null) {
ClearSiteDataHeaderWriter csdHeaderWriter = new ClearSiteDataHeaderWriter(SOURCE);
new HeaderWriterLogoutHandler(csdHeaderWriter).logout(request, response, auth);
}
return "redirect:/login?logout";
}
}

89
spring-5-security/src/main/java/com/baeldung/manuallogout/SimpleSecurityConfiguration.java
View File

@ -1,39 +1,80 @@
package com.baeldung.manuallogout;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.authentication.logout.CookieClearingLogoutHandler;
import org.springframework.security.web.authentication.logout.HeaderWriterLogoutHandler;
import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices;
import org.springframework.security.web.header.writers.ClearSiteDataHeaderWriter;
import javax.servlet.http.Cookie;
import static org.springframework.security.web.header.writers.ClearSiteDataHeaderWriter.Directive.*;
@Configuration
@EnableWebSecurity
public class SimpleSecurityConfiguration extends WebSecurityConfigurerAdapter {
public class SimpleSecurityConfiguration {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.formLogin()
.loginProcessingUrl("/login")
.loginPage("/login")
.usernameParameter("username")
.passwordParameter("password")
.defaultSuccessUrl("/")
.failureUrl("/login?error");
@Order(3)
@Configuration
public static class DefaultLogoutConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/basic/**")
.authorizeRequests(authz -> authz.anyRequest().permitAll())
.logout(logout -> logout
.logoutUrl("/basic/basiclogout")
.addLogoutHandler(new SecurityContextLogoutHandler())
.addLogoutHandler(new CookieClearingLogoutHandler(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY))
);
}
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("user")
.password("password")
.roles("USER")
.and()
.withUser("manager")
.password("password")
.credentialsExpired(true)
.accountExpired(true)
.accountLocked(true)
.authorities("WRITE_PRIVILEGES", "READ_PRIVILEGES")
.roles("MANAGER");
@Order(2)
@Configuration
public static class AllCookieClearingLogoutConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/cookies/**")
.authorizeRequests(authz -> authz.anyRequest().permitAll())
.logout(logout -> logout
.logoutUrl("/cookies/cookielogout")
.addLogoutHandler(new SecurityContextLogoutHandler())
.addLogoutHandler((request, response, auth) -> {
for (Cookie cookie : request.getCookies()) {
String cookieName = cookie.getName();
Cookie cookieToDelete = new Cookie(cookieName, null);
cookieToDelete.setMaxAge(0);
response.addCookie(cookieToDelete);
}
}
));
}
}
@Order(1)
@Configuration
public static class ClearSiteDataHeaderLogoutConfiguration extends WebSecurityConfigurerAdapter {
private static final ClearSiteDataHeaderWriter.Directive[] SOURCE =
{ CACHE, COOKIES, STORAGE, EXECUTION_CONTEXTS };
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/csd/**")
.authorizeRequests(authz -> authz.anyRequest().permitAll())
.logout(logout -> logout
.logoutUrl("/csd/csdlogout")
.addLogoutHandler(new HeaderWriterLogoutHandler(new ClearSiteDataHeaderWriter(SOURCE)))
);
}
}
}

24
spring-5-security/src/test/java/com/baeldung/manuallogout/ManualLogoutIntegrationTest.java
View File

@ -7,6 +7,7 @@ import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpSession;
import org.springframework.security.test.context.support.WithMockUser;
import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices;
import org.springframework.test.context.junit4.SpringRunner;
import org.springframework.test.web.servlet.MockMvc;
@ -36,7 +37,22 @@ public class ManualLogoutIntegrationTest {
@WithMockUser(value = "spring")
@Test
public void givenLoggedUserWhenUserLogoutThenSessionCleared() throws Exception {
public void givenLoggedUserWhenUserLogoutThenSessionClearedAndNecessaryCookieCleared() throws Exception {
MockHttpServletRequest requestStateAfterLogout = this.mockMvc.perform(post("/basic/basiclogout").secure(true).with(csrf()))
.andExpect(status().is3xxRedirection())
.andExpect(unauthenticated())
.andExpect(cookie().maxAge(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY, 0))
.andReturn()
.getRequest();
HttpSession sessionStateAfterLogout = requestStateAfterLogout.getSession();
assertNull(sessionStateAfterLogout.getAttribute(ATTRIBUTE_NAME));
}
@WithMockUser(value = "spring")
@Test
public void givenLoggedUserWhenUserLogoutThenSessionClearedAndAllCookiesCleared() throws Exception {
MockHttpSession session = new MockHttpSession();
session.setAttribute(ATTRIBUTE_NAME, ATTRIBUTE_VALUE);
@ -44,7 +60,7 @@ public class ManualLogoutIntegrationTest {
Cookie randomCookie = new Cookie(COOKIE_NAME, COOKIE_VALUE);
randomCookie.setMaxAge(EXPIRY); // 10 minutes
MockHttpServletRequest requestStateAfterLogout = this.mockMvc.perform(post("/basiclogout").secure(true).with(csrf()).session(session).cookie(randomCookie))
MockHttpServletRequest requestStateAfterLogout = this.mockMvc.perform(post("/cookies/cookielogout").secure(true).with(csrf()).session(session).cookie(randomCookie))
.andExpect(status().is3xxRedirection())
.andExpect(unauthenticated())
.andExpect(cookie().maxAge(COOKIE_NAME, 0))
@ -53,15 +69,13 @@ public class ManualLogoutIntegrationTest {
HttpSession sessionStateAfterLogout = requestStateAfterLogout.getSession();
assertNull(sessionStateAfterLogout.getAttribute(ATTRIBUTE_NAME));
}
@WithMockUser(value = "spring")
@Test
public void givenLoggedUserWhenUserLogoutThenClearDataSiteHeaderPresent() throws Exception {
this.mockMvc.perform(post("/csdlogout").secure(true).with(csrf()))
this.mockMvc.perform(post("/csd/csdlogout").secure(true).with(csrf()))
.andDo(print())
.andExpect(status().is3xxRedirection())
.andExpect(header().exists(CLEAR_SITE_DATA_HEADER))