在Spring-Security中注销用户时从会话中删除用户登录凭据

Question

I am new to Spring and Spring-Security. I have been going through the tutorials here

The user are not allowed to hit add employee page without login. So if you hit add employee page, you will be directed to the login page and when login succeeded you are directed to the add employee page automatically.

But once the user logged in add employee link can be accessed even after the user logs out. It can be accessed even after the server is restarted, I had to close the browser window for the login credentials to be destroyed.

It works fine when when I keep the logout url as "j_spring_security_logout" which I dont want to use. I want to use custom feild names and urls, is it possible?

This is how my spring-security.xml looks

<http auto-config="true" use-expressions="true">
    <intercept-url pattern="/login" access="permitAll" />
    <intercept-url pattern="/logout" access="permitAll" />
    <intercept-url pattern="/accessdenied" access="permitAll" />
    <intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
    <form-login login-page="/login" default-target-url="/list"
        authentication-failure-url="/accessdenied" />
    <logout logout-success-url="/logout" invalidate-session="true"
        delete-cookies="true" />
</http>
<authentication-manager alias="authenticationManager">
    <authentication-provider>
        <user-service>
            <user name="hasif" password="password" authorities="ROLE_USER" />
        </user-service>
    </authentication-provider>
</authentication-manager>

This is how my LoginController looks

@Controller public class LoginController {

@RequestMapping(value = "/login", method = RequestMethod.GET)
public String login() {     
    return "login";
}

@RequestMapping(value = "/logout", method = RequestMethod.GET)
public String logout(HttpServletRequest request) {
    HttpSession session = request.getSession(false);
    session.invalidate();
    return "logout";
}

@RequestMapping(value = "/accessdenied", method = RequestMethod.GET)
public String accessdenied() {
    return "accessdenied";
}

}

Answer 1

Your configuration is wrong, you must specify the logout-url attribute and not the logout-success-url . The latter is the url you are send to after logout has been successful.

<logout logout-url="/logout" invalidate-session="true" delete-cookies="true" />

delete-cookies takes a comma separated string with names of cookies to delete, I doubt you have a cookie named true and the session is invalidated by default. So basically the following gives the same result.

<logout logout-url="/logout" />

If you want to change the name of the parameter to use for specifying the username/password add respectively the username-parameter and password-parameter on the form-login element.

<form-login login-page="/login" default-target-url="/list" authentication-failure-url="/accessdenied" username-parameter="my-username-param" password-parameter="my-password-param"/>

For an explanation of the namespaces I suggest a read of the reference guide .

Answer 2

First Why do you want to do manually when Spring provide such a good security feature.

No doubt you can handle it by your self. For this you have to just invalidate the current session when user click on Log out button or link. There is method available HttpSession#invalidate() which can solve your problem.