Menu
I have a spring configuration for logout like follows:
<logout logout-url="/abc/logout"
logout-success-url="/abc/login"/>
Now I want to do programmatically logout. How I can achieve this in Spring 3. I need to do logout from one of my controller which has the following def. and currently I am doing something like following...Is this a good idea..
public void suppressUserProfile() {
//...
return "redirect:/abc/logout";
}
334
Basic Configuration The basic configuration of Spring Logout functionality using the logout() method is simple enough: @Configuration @EnableWebSecurity public class SecSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(final HttpSecurity http) throws Exception { http //... .
Logout Configuration logout . Spring security provides flexibility to change the URL. If CSRF protection is active (default), Spring security expects the logout request must of POST type, we can use the GET logout request by disabling the CSRF protection.
For setting the timeout of the session you can use the spring. session. timeout property. If that property is not set, the auto-configuration falls back to the value of server.
The default is that accessing the URL /logout will log the user out by: Invalidating the HTTP Session. Cleaning up any RememberMe authentication that was configured.
It depends. If it's ok for your app to place the logged out user on the "you have been logged out" page then this may be ok. But you can't be sure if your user will really be logged out (e.g. if the browser is suppressing the redirect).
Programmatically you can log out this way:
public void logout(HttpServletRequest request, HttpServletResponse response) {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (auth != null){
new SecurityContextLogoutHandler().logout(request, response, auth);
}
SecurityContextHolder.getContext().setAuthentication(null);
}
As @LateralFractal pointed out, if you haven't changed the defaults of the SecurityContextLogoutHandler (see https://github.com/spring-projects/spring-security/blob/3.2.x/web/src/main/java/org/springframework/security/web/authentication/logout/SecurityContextLogoutHandler.java#L96 ) you can cut this down to
public void logout(HttpServletRequest request) {
new SecurityContextLogoutHandler().logout(request, null, null);
}
or even (although it's a bit ugly)
public void logout() {
HttpServletRequest request =
((ServletRequestAttributes)RequestContextHolder.getRequestAttributes())
.getRequest();
new SecurityContextLogoutHandler().logout(request, null, null);
See https://stackoverflow.com/a/9767869/1686330 for some background on getting the HttpServletRequest.
84
HttpSession session = request.getSession();
session.invalidate();
SecurityContextHolder.clearContext();
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
