I am new to Spring Web MVC..
Can I get some example or online link that shows me how to implement logout feature using spring web mvc ?
I don't want to use the in built feature of spring security (i.e. ACEGI)..
Thanks in advance...
Spring security provides following 2 options: Perform the POST logout (this is default and recommended.) Perform the GET logout by disabling CSRF feature.
4.2. Similar to other defaults in Spring Security, the URL that actually triggers the logout mechanism has a default as well – /logout.
Spring Security Session Timeout In the case of Tomcat we can set the session timeout by configuring the maxInactiveInterval attribute on the manager element in server. xml or using the session-timeout element in web. xml. Note that the first option will affect every app that's deployed to the Tomcat instance.
To enable Spring Security integration with Spring MVC add the @EnableWebSecurity annotation to your configuration. Spring Security provides the configuration using Spring MVC's WebMvcConfigurer.
The trick with the session invalidation doesn't work. It seems the Spring authentication buffers the session ID somewhere and accept the COOKIE even, if the session was invalidated.
Another solution is to clear the Spring security context manually:
public void manualLogout() {
SecurityContextHolder.getContext().setAuthentication(null);
}
Here is the code, how to log in user manually (if somebody needs):
public void doManualLogin(HttpServletRequest request, String u, String p) {
UsernamePasswordAuthenticationToken token =
new UsernamePasswordAuthenticationToken(u, p);
token.setDetails(new WebAuthenticationDetails(request));
Authentication auth = authenticationProvider.authenticate(token);
SecurityContextHolder.getContext().setAuthentication(auth);
}
where the authenticationProvider is the bean from you spring configuration which implements
org.springframework.security.authentication.AuthenticationProvider
You only have to invalidate the session and the user is logged out. This is directly supported by the servlet api: HttpSession.invalidate(). You can write one controller that does only call invalidate.
class Logout implements Controller{
public ModelAndView handleRequest(HttpServletRequest request, HttpServletResponse response){
ModelAndView view = //?;
request.getSession().invalidate();
return view;
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With