Spring Security - 14. DefaultLogoutPageGeneratingFilter
1. DefaultLogoutPageGeneratingFilter.
-
DefaultLogoutPageGeneratingFilter는 스프링 시큐리티 의존성을 추가하면 자동으로 등록되는 시큐리티 필터체인에 들어가 있는 필터 중 하나.
- 해당 필터의 목적은
GET : “/logout”경로에 대해 기본 로그아웃 페이지를 응답하는 역할을 수행함.
- 해당 필터의 목적은
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
....
httpSecurity.formLogin(Customizer.withDefaults());
....
return httpSecurity.build();
}
}- 사용자가 커스텀 시큐리티 필터체인을 등록할 시 위 코드와 같은 설정을 통해 사용할 수 있음.
↓DefaultLogoutPageGeneratingFilterOncePerRequestFilter를 상속받아 구현되어있음.- 한 요청(request)당 단 한 번만 실행되는 필터.
- 내부적으로 동일한 요청이 여러 번 필터를 거치는 것을 방지함.
doFilterInternal()메서드의if()문을 통해 조건을 확인하고true일 경우 로그아웃 페이지를 응답 해줌.
public class DefaultLogoutPageGeneratingFilter extends OncePerRequestFilter {
private RequestMatcher matcher = new AntPathRequestMatcher("/logout", "GET");
private Function<HttpServletRequest, Map<String, String>> resolveHiddenInputs = (request) -> Collections.emptyMap();
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
if (this.matcher.matches(request)) {
renderLogout(request, response);
}
else {
if (logger.isTraceEnabled()) {
logger.trace(LogMessage.format("Did not render default logout page since request did not match [%s]",
this.matcher));
}
filterChain.doFilter(request, response);
}
}
private void renderLogout(HttpServletRequest request, HttpServletResponse response) throws IOException {
String renderedPage = HtmlTemplates.fromTemplate(LOGOUT_PAGE_TEMPLATE)
.withValue("contextPath", request.getContextPath())
.withRawHtml("hiddenInputs", renderHiddenInputs(request).indent(8))
.render();
response.setContentType("text/html;charset=UTF-8");
response.getWriter().write(renderedPage);
}
....
}
- 로그아웃 페이지
- 기본 설정은
GET : “/logout” - CSRF토큰 설정이
enable되어 있어야 해당 페이지를 볼 수 있음.
- 기본 설정은
2. 상세 코드.
import java.io.IOException;
import java.util.Collections;
import java.util.Map;
import java.util.function.Function;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.core.log.LogMessage;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.Assert;
import org.springframework.web.filter.OncePerRequestFilter;
/**
* Generates a default log out page.
*
* @author Rob Winch
* @since 5.1
*/
public class DefaultLogoutPageGeneratingFilter extends OncePerRequestFilter {
private RequestMatcher matcher = new AntPathRequestMatcher("/logout", "GET");
private Function<HttpServletRequest, Map<String, String>> resolveHiddenInputs = (request) -> Collections.emptyMap();
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
if (this.matcher.matches(request)) {
renderLogout(request, response);
}
else {
if (logger.isTraceEnabled()) {
logger.trace(LogMessage.format("Did not render default logout page since request did not match [%s]",
this.matcher));
}
filterChain.doFilter(request, response);
}
}
private void renderLogout(HttpServletRequest request, HttpServletResponse response) throws IOException {
String renderedPage = HtmlTemplates.fromTemplate(LOGOUT_PAGE_TEMPLATE)
.withValue("contextPath", request.getContextPath())
.withRawHtml("hiddenInputs", renderHiddenInputs(request).indent(8))
.render();
response.setContentType("text/html;charset=UTF-8");
response.getWriter().write(renderedPage);
}
/**
* Sets a Function used to resolve a Map of the hidden inputs where the key is the
* name of the input and the value is the value of the input. Typically this is used
* to resolve the CSRF token.
* @param resolveHiddenInputs the function to resolve the inputs
*/
public void setResolveHiddenInputs(Function<HttpServletRequest, Map<String, String>> resolveHiddenInputs) {
Assert.notNull(resolveHiddenInputs, "resolveHiddenInputs cannot be null");
this.resolveHiddenInputs = resolveHiddenInputs;
}
private String renderHiddenInputs(HttpServletRequest request) {
StringBuilder sb = new StringBuilder();
for (Map.Entry<String, String> input : this.resolveHiddenInputs.apply(request).entrySet()) {
String inputElement = HtmlTemplates.fromTemplate(HIDDEN_HTML_INPUT_TEMPLATE)
.withValue("name", input.getKey())
.withValue("value", input.getValue())
.render();
sb.append(inputElement);
}
return sb.toString();
}
private static final String LOGOUT_PAGE_TEMPLATE = """
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<meta name="description" content="">
<meta name="author" content="">
<title>Confirm Log Out?</title>
<link href="{{contextPath}}/default-ui.css" rel="stylesheet" />
</head>
<body>
<div class="content">
<form class="logout-form" method="post" action="{{contextPath}}/logout">
<h2>Are you sure you want to log out?</h2>
{{hiddenInputs}}
<button class="primary" type="submit">Log Out</button>
</form>
</div>
</body>
</html>""";
private static final String HIDDEN_HTML_INPUT_TEMPLATE = """
<input name="{{name}}" type="hidden" value="{{value}}" />
""";
}
3. 참고.
Every cloud has a silver lining.