Unable to call LogoutSuccessHandler - Spring Security

Question

I am trying to implement a Custom Spring Security Logout Handler. My configurations are as below but the logout handler is never called.

I have a JSP where I call logout as :

<a href="j_spring_security_logout">Logout</a>

In the application-security.xml, I have the following:

    <security:logout  invalidate-session="true"></security:logout>
    <security:logout logout-url="/logout" success-handler-ref="myCustomLogoutSuccessHandler"></security:logout>  


<beans:bean id="myCustomLogoutSuccessHandler"  class="com.inventory.security.MyCustomLogoutSuccessHandler"></beans:bean>

I have a Custom Logout handler too with the defination:

public class MyCustomLogoutSuccessHandler extends
SimpleUrlLogoutSuccessHandler implements LogoutSuccessHandler {

     @Override
        public void onLogoutSuccess
          (HttpServletRequest request, HttpServletResponse response, Authentication authentication) 
          throws IOException, ServletException {
         System.out.println("Principal: "+authentication.getPrincipal());
         System.out.println("Logout Called: MyCustomLogoutSuccessHandler");

            super.onLogoutSuccess(request, response, authentication);
        }
}

But this is never been called. Am I missing something?

If I change the j_spring_security_logout to logout and create my custom Controller for that URL , then in that case the code works for logout URL but how do I handle the Spring Magic Logout

Answer 1

Actually it isn't clear how you want to invoke your myCustomLogoutSuccessHandler , if you continue to use standard logout url ( j_spring_security_logout ), not your custom one - logout .

From other side what is the reason to have two <security:logout> ?

Won't it be enough to have this config:

<a href="j_spring_security_logout">Logout</a>
....
<security:logout invalidate-session="true" success-handler-ref="myCustomLogoutSuccessHandler"></security:logout> 

?

Explain your purpose, please

Answer 2

you are not doing special work in custom logout handler... since its a simple logout, so the following logout will work....>>>

configuration

<security:logout logout-url="/logout" logout-success-url="/login.html" invalidate-session="true" delete-cookies="JSESSIONID" />
</security:http>

html:

<a style="margin-top: 4px;" href="/logout">log_out</a>

for your information:

Attribute : logout-url
Specifies the URL that will cause a logout. Spring Security will initialize a filter that responds to this particular URL. 
 Defaults to /j_spring_security_logout if unspecified.

if you are not specifing the attribute logout-url then it will default to /j_spring_security_logout it means you have to put /j_spring_security_logout in your html logout tags as

<a style="margin-top: 4px;" href="../j_spring_security_logout">log_out</a>

and if you are specifing the same attribute you have to put the same url in both config and html tags.like

configuration:

<security:logout logout-url="/logout" logout-success-url="/login.html" invalidate-session="true" delete-cookies="JSESSIONID" />
</security:http>

html:

<a style="margin-top: 4px;" href="/logout">log_out</a>