Spring security custom LogoutHandler not called

Question

I've implemented my own LogoutHandler and I'm trying to configure it in the spring security xml, but for some reason it's not being called on logout (the logout is successful, but my code isn't executed).

This is my security.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">

<security:http use-expressions="true">
    <security:intercept-url pattern="/logoutSuccess"
        access="permitAll" />

<security:logout logout-url="/logout"
        logout-success-url="/logoutSuccess" />
</security:http>

<bean id="logoutFilter"
    class="org.springframework.security.web.authentication.logout.LogoutFilter">
    <constructor-arg index="0" value="/logoutSuccess" />
    <constructor-arg index="1">
        <list>
            <bean id="securityContextLogoutHandler"
                class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
            <bean id="myLogoutHandler" class="my.package.MyLogoutHandler" />
        </list>
    </constructor-arg>
    <property name="filterProcessesUrl" value="/logout" />
</bean>

MyLogoutHandler - this is what I want to execute on logout, but it's not being called:

import org.springframework.security.web.authentication.logout.LogoutHandler;

public class MyLogoutHandler implements LogoutHandler {

@Override
public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {

    System.out.println("logout!");

    }
}

Does anyone have any idea why it's not working? Thanks!

Answer 1

As you want to use your custom filter instead of spring security default log out filter, add this line to logout filter bean

<security:custom-filter position="LOGOUT_FILTER"/>

or add this line in your spring security config

 <security:custom-filter ref="logoutFilter" position="LOGOUT_FILTER"/>

Editted

<security:http use-expressions="true">
    <security:intercept-url pattern="/logoutSuccess"
        access="permitAll" />

<security:logout logout-url="/logout"
        logout-success-url="/logoutSuccess" success-handler-ref="myLogoutHandler" />
</security:http>
  <bean id="myLogoutHandler" class="my.package.MyLogoutHandler" />

Also you can implement LogoutSuccessHandler interface instead of LogoutHandler

Edit2

ok, so if you dont want to call your handler after logout is complete, remove logout tag and set everything in logout filter bean

<bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
    <constructor-arg index="0" value="/logoutSuccess" />
    <constructor-arg index="1">
        <list>
            <bean id="securityContextLogoutHandler"
            class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
        <bean id="myLogoutHandler" class="my.package.MyLogoutHandler" />
        </list>
    </constructor-arg>
    <property name="filterProcessesUrl" value="/logout" />
</bean>

And add <security:custom-filter ref="logoutFilter" position="LOGOUT_FILTER"/>