Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

spring security logout causes NullPointerException

Tags:

java

spring

spring-security

I've been trying to understand spring-security for some time, and I've gotten around with most of the things except for the logout aspect. Going through other questions on SO, i felt most of them were facing problems related to the session not terminating.

I, on the other hand, am facing quite a different sort of trouble. My security XML file is configured as follows:

<http path-type="ant" auto-config="false" use-expressions="true"
    access-denied-page="/?login_error=2">
    <intercept-url pattern="/web/open/**" access="permitAll" />
    <intercept-url pattern="/web/**" access="isAuthenticated()" />

    <form-login login-processing-url="/static/j_spring_security_check"
        default-target-url="/web/base/view" always-use-default-target="true"
        login-page="/" authentication-failure-url="/?login_error=1" />

    <logout logout-url="/static/j_spring_security_logout"
        invalidate-session="true" logout-success-url="/" />
</http>

In my web.xml i've mapped the login controller to the context root [using the welcome-file list], and also have the required springSecurityFilterChain setup. Now the login operations run perfectly. The target JSP has a logout link as:

<a href="<c:url value="/static/j_spring_security_logout"/>">Logout</a>

However, whenever i click on the logout link, I get a ghastly NullPointerException. Can anyone let me know if there's some glaring mistake I'm making here?

Exception stack:

java.lang.NullPointerException
    at java.util.Hashtable.get(Hashtable.java:334)
    at org.apache.tomcat.util.http.Parameters.getParameterValues(Parameters.java:116)
    at org.apache.tomcat.util.http.Parameters.getParameter(Parameters.java:127)
    at org.apache.catalina.connector.Request.getParameter(Request.java:1133)
    at org.apache.catalina.connector.RequestFacade.getParameter(RequestFacade.java:384)
    at javax.servlet.ServletRequestWrapper.getParameter(ServletRequestWrapper.java:140)
    at org.springframework.security.web.authentication.AbstractAuthenticationTargetUrlRequestHandler.determineTargetUrl(AbstractAuthenticationTargetUrlRequestHandler.java:86)
    at org.springframework.security.web.authentication.AbstractAuthenticationTargetUrlRequestHandler.handle(AbstractAuthenticationTargetUrlRequestHandler.java:67)
    at org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler.onLogoutSuccess(SimpleUrlLogoutSuccessHandler.java:28)
    at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:100)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:168)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)

Thanks for taking the time.

like image 482
anirvan Avatar asked Sep 06 '11 20:09

anirvan

1 Answers

The determineTargetUrl method in AbstractAuthenticationTargetUrlRequestHandler seems to fail on getting request parameters. For me it's usually fine to provide a defaultTargetUrl and set alwaysUseDefaultTargetUrl to true which meens that determineTargetUrl always returns the given URL and prevent URL determination magic.

I'd do this by registering my own LogoutSuccessHandler implementation like:

<logout
    logout-url="/static/j_spring_security_logout"
    invalidate-session="true"
    success-handler-ref="myLogoutSuccessHandler" />

instead of logout-success-url.

A LogoutSuccessHandler can look as simple as:

public class MyLogoutSuccessHandler extends AbstractAuthenticationTargetUrlRequestHandler implements LogoutSuccessHandler {

    @Override
    public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication throws IOException, ServletException {
        // maybe do some other things ...
        super.handle(request, response, authentication);
    }
}

Set your logout URL as defaultTargetUrl in your security context when defining the bean for the custom LogoutSuccessHandler:

<bean id="myLogoutSuccessHandler" class="foobar.impl.MyLogoutSuccessHandler">
    <property name="defaultTargetUrl" value="/" />
    <property name="alwaysUseDefaultTargetUrl" value="true" />
</bean>
like image 162
jeha Avatar answered Sep 28 '22 02:09

jeha
Sign in to Comment

Related questions

How to draw swt image?
WS in TIBCO BW or in Java
Java Class.getMethods() behavior on overridden methods
Alphabet constant in Java?
detecting build configuration (debug or release) within ant script
Shorter way to check for null with parseDouble?
Unable to instantiate activity... Caused by ClassNotFoundException
Java HttpURLConnection: Content Length computation
Current working directory when running a Jar
Which JavaScript (ECMAScript) version does Java's Rhino implementation implement (and what's the update policy?)
Synchronized threads and locking
How to indicate the file name for saving to the browser from a REST service in Jersey?
ByteBuffer getInt() question
Efficient BigInteger in Java
Scroll a JScrollPane to a specific row on a JTable [duplicate]
Unix sort command takes much longer depending on where it is executed?! (fastest from ProcessBuilder in program run from IDE, slowest from terminal)
final fields and thread-safety
Convert java project into android project on Eclipse [duplicate]
JNA Catching Exceptions
Get running time of a thread java

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!