How to logout successfully with spring security using FreeMarker
Question
I'm having problems trying to logout from my application, when I press the logout button in my application it shows me the login page again, but if write in the search bar in my browser I can go to any page in my application without having to login again, it seems that when I press the logout link I don't logout at all.
here are my mave dependencies
<!-- SPRING SECURITY -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.2.5.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.2.4.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>4.0.0.RELEASE</version>
</dependency>
I'm using FreeMarkes as my template engine and I use this expression to have access to Jsp Security Tags.
<#assign security=JspTaglibs["http://www.springframework.org/security/tags"] />
here is my login controller:
@Controller
@RequestMapping("/login/")
public class LoginControl {
@RequestMapping (value = "login", method = RequestMethod.GET)
public String login (Model model, @RequestParam(value = "logout", required = false) String logout)
{
System.out.println(" logut is " + logout);
return "/login/login";
}
}
And here is my spring security configuration, I'm using a java configuration and no XML
@Configuration
@EnableWebMvcSecurity
public class SeguridadConfiguracion extends WebSecurityConfigurerAdapter {
@Autowired
private AutrProvider aut;
@Override
protected void configure( HttpSecurity http ) throws Exception
{
http
.authenticationProvider(autenticador)
.authorizeRequests()
.antMatchers("/resources/**").permitAll()
.antMatchers("/css/**").permitAll()
.antMatchers("/js/**").permitAll()
.antMatchers("/img/**").permitAll()
.antMatchers("/sound/**").permitAll()
.antMatchers("/fonts/**").permitAll()
.antMatchers("/ajax/**").permitAll()
.antMatchers("/php/**").permitAll()
.antMatchers("/xml/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login/login")
.permitAll()
.and()
.logout().logoutSuccessUrl("/login/login?logout")
.permitAll()
.and()
.csrf().disable();
}
}
and my AutProvider class
@Component
public class AutProvider implements AuthenticationProvider {
@Override
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
String name = null;
String password = null;
Authentication auth = null;
try {
name = authentication.getName();
password = authentication.getCredentials().toString();
if (name.equals("admin@admin.com") && password.equals("password")) {
List<GrantedAuthority> grantedAuths = new ArrayList<>();
grantedAuths.add(new SimpleGrantedAuthority("PERM_DELETE"));
auth = new UsernamePasswordAuthenticationToken(name, password, grantedAuths);
}
} catch (AuthenticationException e) {
e.printStackTrace();
throw e;
}
return auth;
}
and here is how I call the logout link in my page
<div id="logout" class="btn-header transparent pull-right">
<span> <a href="../login/login?logout.html" title="Sign Out" data-action="userLogout" data-logout-msg="You can improve your security further after logging out by closing this opened browser"><i class="fa fa-sign-out"></i></a> </span>
</div>
I tried changing href="../login/login?logout.html" to href="../j_spring_security_logout "` but when I do this it says 404 not found.
EDIT:
I think that the real problem resides in this lines :
In my spring secuirty configuration class:
.and()
.logout().logoutSuccessUrl("/login/login?logout")
.permitAll()
This part of My Login Controller:
@RequestMapping (value = "login", method = RequestMethod.GET)
public String login (Model model, @RequestParam(value = "logout", required = false) String logout)
{
System.out.println(" logut is " + logout);
return "/login/login";
}
And this part in page where i call the logout:
<a href="../login/login?logout.html"
I'm very confused with this link: j_spring_security_logout why should I put it in my href if I dont have any controller mapped for that path, is read that that link is some kind of virtual link that is mapped with the path that I put in my spring secuirty configuration class, and I'm not sure but i believed that that link have some kind of functions already defined like closing my session or clearing my crfs tokken (if i later want to use one (since I dont have one in my application right now) ).
EDIT 2:
I changed my spring security congifuration class to do this
.formLogin()
.loginPage("/login/login")
.permitAll()
.and()
.logout()
.permitAll()
.logoutUrl("/login/logoutPage")
.logoutSuccessUrl("/login/login")
.and()
.csrf().disable();
And i created a new logout page that is the same as the login page (is a copy but with a diferent file name) and I create a new controller method to map this new page. Because when i try to use this controller:
@RequestMapping (value = "login", method = RequestMethod.GET)
public String login (Model model, @RequestParam(value = "logout", required = false) String logout)
{
System.out.println(" logut is " + logout);
return "/login/login";
}
with this href="../login/login?logout.html" it show me the login page again but i'm not logout at all, but when i do it with the new page i create it logs me out fine, but is there a way to use the same page as i'm trying to do.
Also what's the difference between a logoutUrl() and logoutSuccessUrl()
2 answers
solution1
1 2015-04-15 21:02:55
How about invalidate the current session? Something like this:
public String logout(HttpSession session) {
session.invalidate();
....
}
solution2
0 2015-04-16 14:37:23
I'm very confused with this link: j_spring_security_logout why should I put it in my href if I dont have any controller mapped for that path, is read that that link is some kind of virtual link that is mapped with the path that I put in my spring secuirty configuration class, and I'm not sure but i believed that that link have some kind of functions already defined like closing my session or clearing my crfs tokken (if i later want to use one (since I dont have one in my application right now) ).
To give you some clarity :
- Spring security introduces
org.springframework.security.web.authentication.logout.LogoutFilterto each request via security filter chain defined in your web.xml. Neither Spring framework nor you implement any controller to handle logout. - You invoked logout().logoutSuccessUrl("/login/login?logout") on your HttpSecurity object. As per spring security 3.2 documentation
- For your config, by default, the URL "/logout" will log the user out by invalidating the HTTP Session,* so you need to setup your logout URL something like this in your jsp :
<a href="${pageContext.request.contextPath}/logout" ../>. Click to this URL will invalidate the session and redirect (not forward) to the logout success URL (logoutSuccessUrl("/logout.html").
- For your config, by default, the URL "/logout" will log the user out by invalidating the HTTP Session,* so you need to setup your logout URL something like this in your jsp :
- If you dont even want to use 'logout' keyword and set up 'custom-logout' as the keyword in your URL. Follow something like this.
.logout() .deleteCookies("remove").logoutUrl("/custom-logout").logoutSuccessUrl("/logout-success");
Hope this helps your understanding and help to resolve your issue.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.