Geek Answers Handbook

How to cancel authentication token in spring security?

In the logout controller, I tried to write a lot of code combinations. Now I have this:

final Authentication auth = SecurityContextHolder.getContext().getAuthentication(); if (auth != null) { new SecurityContextLogoutHandler().logout(request, response, auth); } SecurityContextHolder.getContext().setAuthentication(null); auth.setAuthenticated(false);

But after the entered code execution token is still valid.

How am I wrong? How to recall a marker in the end?

+10
java spring spring-security-oauth2
source share
5 answers

The class you are looking for DefaultServices is the revokeToken(String tokenValue) method.

Here is an example of a controller that overrides a token, and here is an oauth2 configuration using the DefaultServices bean.

+10
source share

If you need to cancel the token for a user other than the current one (for example, the administrator wants to disable the user account), you can use this:

 Collection<OAuth2AccessToken> tokens = tokenStore.findTokensByClientIdAndUserName( "my_oauth_client_id", user.getUsername()); for (OAuth2AccessToken token : tokens) { consumerTokenServices.revokeToken(token.getValue()); }

If tokenStore is org.springframework.security.oauth2.provider.token.TokenStore and consumerTokenServices being org.springframework.security.oauth2.provider.token.ConsumerTokenServices

+3
source share

the stream is a bit outdated, but for JWTToken users this does not work, as tokens are not saved. Therefore, another option is to use a filter. 1 create a method for the administrator to lock / unlock the user in your database. 2 use a filter, and if the method needs authentication, if the user is active or not

Example:

 @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); if(authentication != null && authentication.getName() != null && !authentication.getName().equalsIgnoreCase("anonymousUser")) { UserModel user = userService.getUser(authentication.getName()); if(user != null && !user.isActivated()) throw new SecurityException("SECURITY_USER_DISABLED"); } chain.doFilter(request, response); }

On the client side, just catch this error and disconnect the user, hope this helps someone.

0
source share

A simple example of revoking a token for the current authorized user using DefaultTokenServices :

  1. Need a Bean for the default token store

     @Bean public DefaultTokenServices tokenServices() { DefaultTokenServices defaultTokenServices = new DefaultTokenServices(); defaultTokenServices.setTokenStore(tokenStore()); defaultTokenServices.setSupportRefreshToken(true); return defaultTokenServices; }

  2. Then you can write your own controller

     @RestController @RequestMapping("/user") public class UserApi { @Autowired private DefaultTokenServices tokenServices; @Autowired private TokenStore tokenStore; @DeleteMapping("/logout") @ResponseStatus(HttpStatus.NO_CONTENT) public void revokeToken() { final OAuth2Authentication auth = (OAuth2Authentication) SecurityContextHolder .getContext().getAuthentication(); final String token = tokenStore.getAccessToken(auth).getValue(); tokenServices.revokeToken(token); } }
0
source share

Autowire DefaultTokenServices then use this code:

 String authHeader = request.getHeader("Authorization"); String tokenValue = authHeader.replace("bearer", "").trim(); tokenService.revokeToken(tokenValue); tokenService.setAccessTokenValiditySeconds(1); tokenService.setRefreshTokenValiditySeconds(1);

Just try the code to revoke the access token.

-2
source share

More articles:


All Articles