Spring Security Java Config Custom Logout Handler Not Working

Question

I've searched for a solution but can't find one anywhere, at least not a current one or one that uses non-xml based Spring and Spring Security configuration.

I need to implement a handler that will be used prior to the spring logout handler. I've read plenty of articles about the LogoutSuccessHandler but that is called after a successful logout by the Logout Filter and I need to access user data that is stored in the users session to perform some database entries, site logout info, etc. This session is lost once spring logs out the user so it has to be before that.

I've tried creating my own custom logout class and defined it in my application configuration class like this:

@Bean
public CustomLogoutHandler customLogoutHandler() {
    return new CustomLogoutHandler();
}

and my class extends the LogoutHandler like the spring documents say to do:

public class CustomLogoutHandler extends LogoutHandler {

    public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
        // business logic here
    }
}

This is still not working. I put a breakpoint in the code and it never gets picked up. Does anyone have an idea of what could be causing this or what I need to do to get it to work?

Answer 1

To use your own custom logout handler that implements Spring's LogoutHandler.class you need to let Spring know that you are using your own in the configuration file under the logout options using .addLogoutHandler. I think you were missing this step. In the security config file:

public class SecurityConfig extends WebSecurityConfigurerAdapter {  

    ... // Other methods here

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .otherConfigOptions
            .logout()
                .addLogoutHandler(customLogoutHandler())  <- custom handler
                .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
                .otherConfigOptions....
    }
}

And define the bean, I put mine in the SecurityConfig.class but I think you can put it in the web or app config class depending on how you set up your project.

@Bean
public CustomLogoutHandler customLogoutHandler() {
    return new CustomLogoutHandler();
}

Then, create your CustomLogoutHandler.class, making sure to IMPLEMENT the LogoutHandler and OVERRIDE the logout method. Here you can use the Authentication class to access anything you have added to the users request scope.

public class CustomLogoutHandler implements LogoutHandler {
    @Override
    public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {

        // business logic here
    }
}

You should also take a look at this question and answer which talks about the order of custom handler mappings in Spring.

I hope this helps.