Menu
In my web application when I tries to logout it goes to j_spring_security_logout instead of the given page.
In my spring-security.xml page i have added
<logout logout-success-url="/login" delete-cookies="JSESSIONID" />
The problem is this worked earlier when I used spring security 3.1.4.RELEASE version. Now I'm using 3.2.2.RELEASE
I've tried the following also. Didn't work
<logout logout-url="/logout" delete-cookies="JSESSIONID" />
spring-security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<http auto-config='true'>
<intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login login-page="/login" default-target-url="/transaction-view"
always-use-default-target="true" authentication-failure-url="/loginfailed" />
<logout logout-url="/logout" logout-success-url="/login.jsp" delete-cookies="JSESSIONID" />
<session-management invalid-session-url="/invalidSession.htm">
<concurrency-control max-sessions="1"
error-if-maximum-exceeded="true" /> <!--this will throw error to second login attempt -->
</session-management>
<!-- <custom-filter before="FORM_LOGIN_FILTER" ref="myFilter" /> -->
<csrf />
</http>
<beans:bean id="customSecurityService"
class="com.fg.monitoringtool.web.security.SecurityService"></beans:bean>
<beans:bean id="passwordEncoder"
class="com.fg.monitoringtool.web.security.PasswordEncoderMD5"></beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="customSecurityService">
<password-encoder ref="passwordEncoder">
</password-encoder>
</authentication-provider>
</authentication-manager>
Thanks in advance.
259
logoutUrl() Similar to other defaults in Spring Security, the URL that actually triggers the logout mechanism has a default as well – /logout.
In this configuration Spring Security will render a default log in page. Most production applications will require a custom log in form. The configuration below demonstrates how to provide a custom log in form. public SecurityFilterChain filterChain(HttpSecurity http) { http .
Spring Security Session Timeout In the case of Tomcat we can set the session timeout by configuring the maxInactiveInterval attribute on the manager element in server. xml or using the session-timeout element in web. xml. Note that the first option will affect every app that's deployed to the Tomcat instance.
When you have Spring Security CSRF protection enabled, you must logout with POST:
<c:url var="logoutUrl" value="/logout"/>
<form action="${logoutUrl}" method="post">
<input type="submit" value="Log out" />
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
A better approach to use default logout url would be
<c:url var="logoutUrl" value="j_spring_security_logout"/>
<form action="${logoutUrl}" method="post">
<input type="submit" value="Log out" />
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
