how to perform operation just before logout in spring?

Question

First of all this is not a duplicate question i checked answers here! and here! but couldnt get it to work.

Also i want to perform it just before logout so can not use logoutSuccessHandler.

So i need to create a custom LOGOUT_FILTER , with which i am really having hard time getting it to work.

here is my spring-security xml in which i tried two methods first was :-

 <custom-filter ref="logoutFilter" position="LOGOUT_FILTER" />

<beans:bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<beans:constructor-arg index="0" value="/logoutSuccess" />
<beans:constructor-arg index="1">
    <beans:list>
        <beans:bean id="securityContextLogoutHandler"
        class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
    <beans:bean id="myLogoutHandler" class="com.fe.cms.listener.SimpleLogoutHandler" />
    </beans:list>
</beans:constructor-arg>
<beans:property name="filterProcessesUrl" value="/logout" />
</beans:bean>

but this gives me error

Configuration problem: Security namespace does not support decoration of element [custom-filter] 

then i tried..

<beans:bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
    <beans:constructor-arg index="0" value="/logout" />
    <beans:constructor-arg index="1">
        <beans:ref bean="securityContextLogoutHandler" />
        <beans:ref bean="myLogoutHandler" />
    </beans:constructor-arg>
    <beans:property name="filterProcessesUrl" value="/logout" />
</beans:bean>

<beans:bean id="securityContextLogoutHandler"
    class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />

<beans:bean id="myLogoutHandler" class="com.fe.cms.listener.SimpleLogoutHandler" />

<http auto-config="false" entry-point-ref="authenticationManger">
    <custom-filter ref="logoutFilter" position="LOGOUT_FILTER" />
</http>

but this gives me error :-

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.filterChains': Cannot resolve reference to bean 'org.springframework.security.web.DefaultSecurityFilterChain#48' while setting bean property 'sourceList' with key [48]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.web.DefaultSecurityFilterChain#48': Cannot create inner bean '(inner bean)' of type [org.springframework.security.web.access.ExceptionTranslationFilter] while setting constructor argument with key [6]; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#181': Could not resolve matching constructor (hint: specify index/type/name arguments for simple parameters to avoid type ambiguities)

Please can anyone tell where am i doing wrong .. i will post full xml files if needed

Answer 1

According to your clarification what you want is to get access the to session and perform some logic. Instead of hacking around with a custom LogoutFilter simply write an ApplicationListener that listens to HttpSessionDestroyedEvents.

@Component
public class SessionListener implements ApplicationListener<HttpSessionDestroyedEvent> {

    public void onApplicationEvent(HttpSessionDestroyedEvent evt) {
        HttpSession session = evt.getSession();
        // Your logic here
    }
}

To be able re receive events make sure that you register the HttpSessionEventPublisher in your web.xml.

<listener>
    <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>

Main advantage of this solution is that you will also be able to process sessions that timeout and not only regular logouts.

Answer 2

If you need to execute some operation just before logout I suppose Spring interceptors can help you.

You could implement a class like this:

public class JustBeforeLogoutInterceptor extends HandlerInterceptorAdapter {

    @Override
    public boolean preHandle(HttpServletRequest request,
            HttpServletResponse response, Object handler) throws Exception {
        boolean res = super.preHandle(request, response, handler);
        //
        // your code...
        //
        return res;
    }
}

Then you need to configure the interceptor:

<mvc:interceptors>
    <mvc:interceptor>
        <mvc:mapping path="/logout" />
        <bean class="your.app.JustBeforeLogoutInterceptor" />
    </mvc:interceptor>
</mvc:interceptors>

This should work. Take a try.