Grails Redirect Post-Logout Using spring-security-core-3.0.6+

Question

In spring security version 3.0.6, which fixed a CRLF logout exploit (https://jira.springsource.org/browse/SEC-1790) they disabled the use of the 'spring-security-redirect' parameter.

Default support for the redirect parameter in logout URLs has also been removed in 3.0.6. In 3.1 it already needs to be enabled explicitly.

Is there a way to turn the redirect parameter back on, so that I can dynamically redirect in my Grails Spring Security Logout Controller?

LogoutContoller.groovy

def user = springSecurityService.currentUser

if (params.redirect) {
    // this needs to log the user out and then redirect, so don't redirect until we log the user out here
    log.info "Redirecting " + springSecurityService.currentUser.username + " to " + params.redirect
    // the successHandler.targetUrlParameter is spring-security-redirect, which should redirect after successfully logging the user out
    redirect uri: SpringSecurityUtils.securityConfig.logout.filterProcessesUrl + "?spring-security-redirect="+params.redirect
    return;
}


redirect uri: SpringSecurityUtils.securityConfig.logout.filterProcessesUrl // '/j_spring_security_logout'

The following no longer works for versions of spring security 3.0.6+

Answer 1

You can logout programmatically and do manual redirect in a action of controller:

// Bean where Spring Security store logout handlers
def logoutHandlers
// logout action
def logout = {
    // Logout programmatically
        Authentication auth = SecurityContextHolder.context.authentication
    if (auth) {
        logoutHandlers.each  { handler->
            handler.logout(request,response,auth)
        }
    }
    redirect uri:params.redirect
}

Answer 2

It is a pretty specialized topic, here is the researched solution:

Here is the 3.0.x commit that removed the redirection: http://git.springsource.org/spring-security/spring-security/commit/a087e828a63edf0932e4eecf174cf816cbe6a58a

The basic idea is that they removed the ability for the default LogoutSuccessHandler bean to handle redirects by removing the targetUrlParameter (setting it to null causes no redirects to happen).

Thus the solution to the problem is to 1) Create a simple LogoutSuccessHandler bean that does not set the targetUrlParameter to null:

/**
 * Handles the navigation on logout by delegating to the {@link AbstractAuthenticationTargetUrlRequestHandler}
 * base class logic.
 */
public class RedirectLogoutSuccessHandler extends AbstractAuthenticationTargetUrlRequestHandler
        implements LogoutSuccessHandler {

    public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication)
            throws IOException, ServletException {
        super.handle(request, response, authentication);
    }

}

And 2) Register this bean in resources.groovy:

 logoutSuccessHandler(com.example.package.RedirectLogoutSuccessHandler)

And the default behavior is to allow for the logout redirects to happen.