我根据此文档https://vaadin.com/docs/latest/fusion/security/spring-stateless将项目设置为无状态
通过 Keycloak 设置的授权:
@Override
protected void configure(HttpSecurity http) throws Exception {
// Set default security policy that permits Vaadin internal requests and
// denies all other
super.configure(http);
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http
// Enable OAuth2 login
.oauth2Login(oauth2Login -> oauth2Login.clientRegistrationRepository(clientRegistrationRepository)
.userInfoEndpoint(userInfoEndpoint -> userInfoEndpoint
// Use a custom authorities mapper to get the roles from the identity provider
// into the Authentication token
.userAuthoritiesMapper(authoritiesMapper))
// Use a Vaadin aware authentication success handler
.successHandler(new VaadinSavedRequestAwareAuthenticationSuccessHandler()))
// Configure logout
.logout(logout -> logout
.logoutSuccessHandler(logoutSuccessHandler())
.logoutRequestMatcher(new AntPathRequestMatcher("/logout", "GET")));
setStatelessAuthentication(http,
new SecretKeySpec(Base64.getDecoder().decode(authSecret),
JwsAlgorithms.HS256),
"com.my.app");
}
private OidcClientInitiatedLogoutSuccessHandler logoutSuccessHandler() {
OidcClientInitiatedLogoutSuccessHandler logoutSuccessHandler = new
OidcClientInitiatedLogoutSuccessHandler(
clientRegistrationRepository);
logoutSuccessHandler.setPostLogoutRedirectUri("{baseUrl}/");
return logoutSuccessHandler;
}
身份验证工作正常,我们可以在 cookie jwt 令牌中看到 jwt 令牌
但是当我点击注销按钮时,我仍然登录。这里有一个注销功能https://vaadin.com/docs/latest/fusion/security/authentication-offline/#removing-an-expired-authentication
export async function logout() {
setSessionExpired();
await logoutImpl();
appStore.clearUserInfo();
location.href = '/logout';
}