Best IT Recipes

How to manually logout using spring security?

The answer is probably simple: how can I manually log out of the current logged-in user in spring security? Is it enough to call:

SecurityContextHolder.getContext().getAuthentication().setAuthenticated(false);

?

+56
spring spring-security logout
Apr 20 '11 at 8:13
source share
9 answers

In the Servlet 3.0 Spring container, the logout() function is integrated with the servlet, and you just call logout() on the HttpServletRequest . You still need to write valid response content.

According to the documentation (Spring 3.2):

The HttpServletRequest.logout () method can be used to register the current user.

Usually this means that the SecurityContextHolder will be cleared out, the HttpSession will be invalidated, any โ€œRemember meโ€, authentication will be cleared, etc.

+25
Jan 28 '14 at 20:11
source share

It's hard for me to say for sure if your code is enough. However, the standard Spring-security implementation for logging out is different. If you looked at SecurityContextLogoutHandler , you will see what they do:

  SecurityContextHolder.clearContext();

In addition, they do not necessarily invalidate the HttpSession:

  if (invalidateHttpSession) { HttpSession session = request.getSession(false); if (session != null) { session.invalidate(); } }

You can find more information in another question about org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler out of Spring Security and by looking at the source code of org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler .

+56
Apr 20 '11 at 8:21
source share

I use the same code in LogoutFilter, reusing LogoutHandlers as follows:

 public static void myLogoff(HttpServletRequest request, HttpServletResponse response) { CookieClearingLogoutHandler cookieClearingLogoutHandler = new CookieClearingLogoutHandler(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY); SecurityContextLogoutHandler securityContextLogoutHandler = new SecurityContextLogoutHandler(); cookieClearingLogoutHandler.logout(request, response, null); securityContextLogoutHandler.logout(request, response, null); }
+15
Dec 12 '12 at 11:27
source share

To exit a custom web application, you can also redirect it to the exit page. Then LogoutFilter does all your work.

In the security setting, the exit page URL is:

 <sec:http ...> ... <sec:logout logout-url="/logout" logout-success-url="/login?logout_successful=1" /> ... </sec:http>
+10
Aug 31 '12 at 7:12
source share

You can also use SessionRegistry like:

 sessionRegistry.getSessionInformation(sessionId).expireNow();

If you want to force getAllSessions in all user sessions, use the getAllSessions method and call expireNow each session information.

Edit
This requires a ConcurrentSessionFilter (or any other filter in the chain) that checks the SessionInformation and calls all output handlers and then redirects.

+9
Apr 20 2018-11-11T00:
source share

We recently had to implement logout functions using Spring-security 3.0.5. Although this question has already been answered above, I will post the full code that will definitely help a novice user like me :)

Configuration in Spring -security.xml

  <http auto-config="false" lowercase-comparisons="false" use-expressions="true"> <custom-filter position="LOGOUT_FILTER" ref="logoutFilter" /> </http> <beans:bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter"> <beans:constructor-arg name="logoutSuccessHandler" ref="xxxLogoutSuccessHandler" /> <beans:constructor-arg name="handlers"> <beans:list> <beans:ref bean="securityContextLogoutHandler"/> <beans:ref bean="xxxLogoutHandler"/> </beans:list> </beans:constructor-arg> <beans:property name="filterProcessesUrl" value="/logout"/> </beans:bean> <beans:bean id="XXXLogoutSuccessHandler" class="com.tms.dis.sso.XXXLogoutSuccessHandler"/> <beans:bean id="securityContextLogoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"> <beans:property name="invalidateHttpSession" value="true"/> </beans:bean> <beans:bean id="XXXLogoutHandler" class="com.tms.dis.sso.XXXLogoutHandler"/>

Here I created two custom classes

  • XXXLogoutHandler, which implements org.springframework.security.web.authentication.logout.LogoutHandler and overrides the logout () method.
  • XXXLogoutSuccessHandler, which will implement org.springframework.security.web.authentication.logout.LogoutSuccessHanlder and override the onLoguoutSuccess () method. In the XXXLogoutSuccessHandler.onLogoutSuccess () method, call the redirectStrategy.sendRedirect () method, which will bring the user to a specific destination URL.
  • org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler performs the task of canceling a user session.

I hope this helps and gives the right direction to the starter

Note Code for user implementation is not intentionally posted.

+3
Oct 24 '13 at 13:26
source share

Just do it (those that commented on "worry"):

  Authentication auth = SecurityContextHolder.getContext().getAuthentication(); // concern you User currUser = userService.getUserById(auth.getName()); // some of DAO or Service... SecurityContextLogoutHandler ctxLogOut = new SecurityContextLogoutHandler(); // concern you if( currUser == null ){ ctxLogOut.logout(request, response, auth); // concern you }
+2
Apr 18 '13 at 11:01
source share

new SecurityContextLogoutHandler().logout(request, null, null);

0
Feb 08 '17 at 1:58 on
source share

Right Oledzki, I use, for example, inside my controller to log out and redirect the user to the spring security 4.2.3 login page

 SecurityContextHolder.clearContext(); if(session != null) session.invalidate(); return "redirect:/login";
0
Sep 26 '17 at 7:03 on
source share


More articles:


All Articles