Bael 3970 (#9132)

* Manual logout with Spring Security - Basic manual logout - logout with Clear Data Site Header * Add missing annotation for controller. Change mapping URL value. * Add intergration tests for manual logouts. * BAEL-3970 - Add asserts on test. Fix tests names. Remove unused imports. * BAEL-3970 - Use PostMapping annotation. Remove unnecessary information for security configuration. * remove logout controllers * Add multiple entrypoints configurations. Create custom handlers for different logouts (basic, cookie clearing, clear-site-data). * Refactor configuration with lambda DSL.
2020-04-30 08:16:05 +02:00 · 2020-04-30 08:16:05 +02:00 · 2c99a832cd
commit 2c99a832cd
parent 9ae7596d5e
4 changed files with 84 additions and 90 deletions
--- a/spring-5-security/src/main/java/com/baeldung/manuallogout/BasicAuthController.java
+++ b/spring-5-security/src/main/java/com/baeldung/manuallogout/BasicAuthController.java
@ -1,32 +0,0 @@
 package com.baeldung.manuallogout;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
@Controller
 public class BasicAuthController {
    @RequestMapping(value = {"/basiclogout"}, method = RequestMethod.POST)
    public String logout(HttpServletRequest request, HttpServletResponse response) {
        HttpSession session;
        SecurityContextHolder.clearContext();
        session = request.getSession(false);
        if (session != null) {
            session.invalidate();
        }
        for (Cookie cookie : request.getCookies()) {
            String cookieName = cookie.getName();
            Cookie cookieToDelete = new Cookie(cookieName, null);
            cookieToDelete.setMaxAge(0);
            response.addCookie(cookieToDelete);
        }
        return "redirect:/login?logout";
    }
 }
--- a/spring-5-security/src/main/java/com/baeldung/manuallogout/ClearSiteDataController.java
+++ b/spring-5-security/src/main/java/com/baeldung/manuallogout/ClearSiteDataController.java
@ -1,29 +0,0 @@
 package com.baeldung.manuallogout;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.authentication.logout.HeaderWriterLogoutHandler;
 import org.springframework.security.web.header.writers.ClearSiteDataHeaderWriter;
 import org.springframework.security.web.header.writers.ClearSiteDataHeaderWriter.Directive;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@Controller
 public class ClearSiteDataController {
    Directive[] SOURCE = {Directive.COOKIES, Directive.STORAGE, Directive.EXECUTION_CONTEXTS, Directive.CACHE};
    @RequestMapping(value = {"/csdlogout"}, method = RequestMethod.POST)
    public String logout(HttpServletRequest request, HttpServletResponse response) {
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
        if (auth != null) {
            ClearSiteDataHeaderWriter csdHeaderWriter = new ClearSiteDataHeaderWriter(SOURCE);
            new HeaderWriterLogoutHandler(csdHeaderWriter).logout(request, response, auth);
        }
        return "redirect:/login?logout";
    }
 }
--- a/spring-5-security/src/main/java/com/baeldung/manuallogout/SimpleSecurityConfiguration.java
+++ b/spring-5-security/src/main/java/com/baeldung/manuallogout/SimpleSecurityConfiguration.java
@ -1,39 +1,80 @@
 package com.baeldung.manuallogout;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.annotation.Order;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.web.authentication.logout.CookieClearingLogoutHandler;
 import org.springframework.security.web.authentication.logout.HeaderWriterLogoutHandler;
 import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
 import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices;
 import org.springframework.security.web.header.writers.ClearSiteDataHeaderWriter;
 import javax.servlet.http.Cookie;
 import static org.springframework.security.web.header.writers.ClearSiteDataHeaderWriter.Directive.*;
@Configuration
@EnableWebSecurity
-public class SimpleSecurityConfiguration extends WebSecurityConfigurerAdapter {
+public class SimpleSecurityConfiguration {
    @Order(3)
    @Configuration
    public static class DefaultLogoutConfiguration extends WebSecurityConfigurerAdapter {
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                    .antMatcher("/basic/**")
                    .authorizeRequests(authz -> authz.anyRequest().permitAll())
                    .logout(logout -> logout
                            .logoutUrl("/basic/basiclogout")
                            .addLogoutHandler(new SecurityContextLogoutHandler())
                            .addLogoutHandler(new CookieClearingLogoutHandler(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY))
                    );
        }
    }
    @Order(2)
    @Configuration
    public static class AllCookieClearingLogoutConfiguration extends WebSecurityConfigurerAdapter {
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                    .antMatcher("/cookies/**")
                    .authorizeRequests(authz -> authz.anyRequest().permitAll())
                    .logout(logout -> logout
                            .logoutUrl("/cookies/cookielogout")
                            .addLogoutHandler(new SecurityContextLogoutHandler())
                            .addLogoutHandler((request, response, auth) -> {
                                        for (Cookie cookie : request.getCookies()) {
                                            String cookieName = cookie.getName();
                                            Cookie cookieToDelete = new Cookie(cookieName, null);
                                            cookieToDelete.setMaxAge(0);
                                            response.addCookie(cookieToDelete);
                                        }
                                    }
                            ));
        }
    }
    @Order(1)
    @Configuration
    public static class ClearSiteDataHeaderLogoutConfiguration extends WebSecurityConfigurerAdapter {
        private static final ClearSiteDataHeaderWriter.Directive[] SOURCE =
                { CACHE, COOKIES, STORAGE, EXECUTION_CONTEXTS };
        @Override
        protected void configure(HttpSecurity http) throws Exception {
-        http.formLogin()
+            http
-                .loginProcessingUrl("/login")
+                    .antMatcher("/csd/**")
-                .loginPage("/login")
+                    .authorizeRequests(authz -> authz.anyRequest().permitAll())
-                .usernameParameter("username")
+                    .logout(logout -> logout
-                .passwordParameter("password")
+                            .logoutUrl("/csd/csdlogout")
-                .defaultSuccessUrl("/")
+                            .addLogoutHandler(new HeaderWriterLogoutHandler(new ClearSiteDataHeaderWriter(SOURCE)))
-                .failureUrl("/login?error");
+                    );
        }
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .withUser("user")
                .password("password")
                .roles("USER")
                .and()
                .withUser("manager")
                .password("password")
                .credentialsExpired(true)
                .accountExpired(true)
                .accountLocked(true)
                .authorities("WRITE_PRIVILEGES", "READ_PRIVILEGES")
                .roles("MANAGER");
    }
 }
--- a/spring-5-security/src/test/java/com/baeldung/manuallogout/ManualLogoutIntegrationTest.java
+++ b/spring-5-security/src/test/java/com/baeldung/manuallogout/ManualLogoutIntegrationTest.java
@ -7,6 +7,7 @@ import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpSession;
 import org.springframework.security.test.context.support.WithMockUser;
 import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices;
 import org.springframework.test.context.junit4.SpringRunner;
 import org.springframework.test.web.servlet.MockMvc;
@ -36,7 +37,22 @@ public class ManualLogoutIntegrationTest {
    @WithMockUser(value = "spring")
    @Test
-    public void givenLoggedUserWhenUserLogoutThenSessionCleared() throws Exception {
+    public void givenLoggedUserWhenUserLogoutThenSessionClearedAndNecessaryCookieCleared() throws Exception {
        MockHttpServletRequest requestStateAfterLogout = this.mockMvc.perform(post("/basic/basiclogout").secure(true).with(csrf()))
                .andExpect(status().is3xxRedirection())
                .andExpect(unauthenticated())
                .andExpect(cookie().maxAge(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY, 0))
                .andReturn()
                .getRequest();
        HttpSession sessionStateAfterLogout = requestStateAfterLogout.getSession();
        assertNull(sessionStateAfterLogout.getAttribute(ATTRIBUTE_NAME));
    }
    @WithMockUser(value = "spring")
    @Test
    public void givenLoggedUserWhenUserLogoutThenSessionClearedAndAllCookiesCleared() throws Exception {
        MockHttpSession session = new MockHttpSession();
        session.setAttribute(ATTRIBUTE_NAME, ATTRIBUTE_VALUE);
@ -44,7 +60,7 @@ public class ManualLogoutIntegrationTest {
        Cookie randomCookie = new Cookie(COOKIE_NAME, COOKIE_VALUE);
        randomCookie.setMaxAge(EXPIRY); // 10 minutes
-        MockHttpServletRequest requestStateAfterLogout = this.mockMvc.perform(post("/basiclogout").secure(true).with(csrf()).session(session).cookie(randomCookie))
+        MockHttpServletRequest requestStateAfterLogout = this.mockMvc.perform(post("/cookies/cookielogout").secure(true).with(csrf()).session(session).cookie(randomCookie))
                .andExpect(status().is3xxRedirection())
                .andExpect(unauthenticated())
                .andExpect(cookie().maxAge(COOKIE_NAME, 0))
@ -53,15 +69,13 @@ public class ManualLogoutIntegrationTest {
        HttpSession sessionStateAfterLogout = requestStateAfterLogout.getSession();
        assertNull(sessionStateAfterLogout.getAttribute(ATTRIBUTE_NAME));
    }
    @WithMockUser(value = "spring")
    @Test
    public void givenLoggedUserWhenUserLogoutThenClearDataSiteHeaderPresent() throws Exception {
-        this.mockMvc.perform(post("/csdlogout").secure(true).with(csrf()))
+        this.mockMvc.perform(post("/csd/csdlogout").secure(true).with(csrf()))
                .andDo(print())
                .andExpect(status().is3xxRedirection())
                .andExpect(header().exists(CLEAR_SITE_DATA_HEADER))