In Spring-Security what exactly is the j_spring_security_logout? Ive heard it referred to as "handler" but I'm not sure what that means

Question

I've been learning spring and spring-security and came across auto-config="true" attribute for the tag in the spring security context. I was introduced to j_spring_security_logout as the url to submit to for logging out functionality in jsp.

Used like this in the jsp:

<a href="../j_spring_security_logout">logout buddy</a></p>
<a href="../j_spring_security_login">login</a></p>

What exactly is this j_spring_security_logout (magic) provided by Spring? I've heard it being referred to as a handler. But I have no idea what that means.

Thank you in advance.

Answer 1

When a request to /j_spring_security_logout is sent by a browser initially it goes to org/springframework/security/web/authentication/logout/LogoutFilter which then delegates the logout task to a org/springframework/security/web/authentication/logout/LogoutHandler implementation

org/springframework/security/web/authentication/logout/SecurityContextLogoutHandler is an implementation of LogoutHandler and it has a method logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) which will be called by LogoutFilter.

The LogoutHandler primarily does two things;

1. Invalidates the session if it is configured to do so
2. Clears the SecurityContextHolder which is where Authentication details are stored.