Shulou(Shulou.com)06/03 Report--

This article mainly shows you "what are the pits encountered when logging out with JWT in Spring Security", the content is simple and clear, and I hope it can help you solve your doubts. Let the editor lead you to study and learn "what are the pits encountered when logging out with JWT in Spring Security".

Session session

The reason for talking about Session sessions is that Spring Security is configured to have sessions by default, so when you log in, the Session will be maintained by the server until you log out. As long as the Session is held, your request can get the current HttpSession from the ServletRequest as long as you go to the server, and then load the current SecurityContext according to the HttpSession. The relevant logic is in Spring Security's default filter SecurityContextPersistenceFilter. If you are interested, you can look at the relevant source code.

And by default, SecurityContextPersistenceFilter has a higher priority than the exit filter LogoutFilter, so you can guarantee that if you exit with a Session session, you will be able to get the current user.

No Session session

After using JWT, every request must carry Bearer Token and be intercepted and parsed by a special filter before the user authentication information can be saved to SecurityContext. Refer to the Token authentication in the practical information tutorial of Spring Security to implement JwtAuthenticationFilter. The related logic is as follows:

/ / when token matches if (jwtToken.equals (accessToken)) {/ / resolve permission set here JSONArray jsonArray = jsonObject.getJSONArray ("roles"); List roles = jsonArray.toList (String.class); String [] roleArr = roles.toArray (new String [0]); List authorities = AuthorityUtils.createAuthorityList (roleArr); User user = new User (username, "[PROTECTED]", authorities) / / build user authentication token UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken (user, null, authorities); usernamePasswordAuthenticationToken.setDetails (new WebAuthenticationDetailsSource (). BuildDetails (request)); / / put SecurityContextHolder.getContext (). SetAuthentication (usernamePasswordAuthenticationToken) in the security context;} else {/ / token does not match if (log.isDebugEnabled ()) {log.debug ("token: {} is not in matched", jwtToken);} throw new BadCredentialsException ("token is not matched") } Why can't you get the current user by logging out?

After analyzing the security context configuration of user authentication information in two cases, we return to the problem itself. Let's take a look at the reason why you can't get the current authentication information when using JWT. In HttpSecurity, the student configures the order of JwtAuthenticationFilter as follows:

HttpSecurity.addFilterBefore (jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class)

Let's take a look at the Spring Security filter sorting chart:

That is to say, when LogoutFilter exits, JWT has not been intercepted by JwtAuthenticationFilter, and of course it is impossible to obtain the current authentication context SecurityContext.

Solution method

The solution is to parse the JWT and store the successful authentication information in the SecurityContext before the LogoutFilter execution. We can configure it like this:

HttpSecurity.addFilterBefore (jwtAuthenticationFilter, LogoutFilter.class)

In this way, the problem is solved, you just need to cancel the current JWT and log out.

The above is all the contents of this article entitled "what are the pits encountered when logging in with JWT in Spring Security?" Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.