Logout in spring security 3.2.0.RC1 does not work
Question
I'm having trouble implementing logout functionality for my admin page. I reach to my admin page using "/admin/" and to logout I want to use "/admin/logout" . When I click on the button I go to "/" as logout-success dictates. When I return to "/admin" I see that I'm still logged-in.
My spring xml is:
<sec:http auto-config="true">
<sec:session-management session-fixation-protection="newSession"/>
<sec:intercept-url pattern="/admin/**" access="ROLE_LEVEL_0" />
<sec:http-basic />
<sec:logout delete-cookies="JSESSIONID" logout-success-url="/" logout-url="/admin/logout"/>
</sec:http>
<sec:authentication-manager alias="authenticationManager" erase-credentials="true">
<sec:authentication-provider user-service-ref="userDetailsService">
<sec:password-encoder hash="md5"/>
</sec:authentication-provider>
</sec:authentication-manager>
<bean id="userDetailsService" class="com.adminsecurity.acegi.userdetails.jdbc.JdbcUserDetailsManager">
<constructor-arg index="0" ref="dataSource"/>
<property name="changePasswordSql" value="update users set password = ? where username = ?"/>
</bean>
My JSP is this:
<c:url var="logoutUrl" value="/admin/logout"/>
<form action="${logoutUrl}"
method="get">
<input type="submit"
value="Log out" />
</form>
1 answers
solution1
0 ACCPTED 2014-08-08 12:42:37
The only way to fix this is not using <sec:http-basic /> and opting with a form login option. Otherwise the browser will send the credentials in every request and you won't be able to logout. There are several workarounds for this but none of them is usable in every browser.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.