Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to implement Logout feature using Spring Web Mvc

I am new to Spring Web MVC..

Can I get some example or online link that shows me how to implement logout feature using spring web mvc ?

I don't want to use the in built feature of spring security (i.e. ACEGI)..

Thanks in advance...

like image 543
Nirmal Avatar asked Nov 18 '09 10:11

Nirmal


People also ask

How do I logout of spring boot security?

Spring security provides following 2 options: Perform the POST logout (this is default and recommended.) Perform the GET logout by disabling CSRF feature.

What is the default logout URL defined by Spring Security?

4.2. Similar to other defaults in Spring Security, the URL that actually triggers the logout mechanism has a default as well – /logout.

How do I set session timeout in Spring Security?

Spring Security Session Timeout In the case of Tomcat we can set the session timeout by configuring the maxInactiveInterval attribute on the manager element in server. xml or using the session-timeout element in web. xml. Note that the first option will affect every app that's deployed to the Tomcat instance.

How can you integrate Spring MVC application you build with Spring Security?

To enable Spring Security integration with Spring MVC add the @EnableWebSecurity annotation to your configuration. Spring Security provides the configuration using Spring MVC's WebMvcConfigurer.


2 Answers

The trick with the session invalidation doesn't work. It seems the Spring authentication buffers the session ID somewhere and accept the COOKIE even, if the session was invalidated.

Another solution is to clear the Spring security context manually:

public void manualLogout() {
    SecurityContextHolder.getContext().setAuthentication(null);
}

Here is the code, how to log in user manually (if somebody needs):

public void doManualLogin(HttpServletRequest request, String u, String p) {
    UsernamePasswordAuthenticationToken token = 
            new UsernamePasswordAuthenticationToken(u, p);
    token.setDetails(new WebAuthenticationDetails(request));
    Authentication auth = authenticationProvider.authenticate(token);
    SecurityContextHolder.getContext().setAuthentication(auth);
}

where the authenticationProvider is the bean from you spring configuration which implements

org.springframework.security.authentication.AuthenticationProvider
like image 89
30thh Avatar answered Oct 12 '22 00:10

30thh


You only have to invalidate the session and the user is logged out. This is directly supported by the servlet api: HttpSession.invalidate(). You can write one controller that does only call invalidate.

class Logout implements Controller{
 public ModelAndView handleRequest(HttpServletRequest request, HttpServletResponse response){
   ModelAndView view = //?;
   request.getSession().invalidate();
   return view;
 }      
}
like image 28
Thomas Jung Avatar answered Oct 12 '22 00:10

Thomas Jung