Announcement Announcement Module
Collapse
No announcement yet.
Several questions to authentification/logout/redirect Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Several questions to authentification/logout/redirect

    Hi all,

    I'm on my first spring project actually and I got some jsp's with forms, a spring security login and some business logic like crud actions for user.

    Some of the workflows:
    login->show user data->edit->check for changed email (login id)->logout
    login->show user data->delete user->logout

    I do this by setting security context:
    Code:
    SecurityContextHolder.getContext().setAuthentication(null);
    and then @Controller returning "redirect:/index" to starting jsp.

    Is this a common way to do it?

    Just returning "logout" or "/j_spring_security_logout"

    some details of spring-security.xml:
    Code:
    <http auto-config="true" use-expressions="true">
    		<intercept-url pattern="/" access="permitAll" />
    		<intercept-url pattern="/login" access="permitAll" />
    		<intercept-url pattern="/logout" access="permitAll" />
    		<intercept-url pattern="/denied" access="hasRole('ROLE_USER')" />
    
    		<intercept-url pattern="/account/edit" access="hasRole('ROLE_USER')" />
    		<intercept-url pattern="/account/delete" access="hasRole('ROLE_USER')" />
    		<intercept-url pattern="/account/**" access="permitAll" />
    		
    		<intercept-url pattern="/order" access="hasRole('ROLE_USER')" />
    		<intercept-url pattern="/order/**" access="hasRole('ROLE_USER')" />
    
    		<form-login login-page="/login" authentication-failure-url="/login/failure" default-target-url="/order" />
    
    		<access-denied-handler error-page="/403" />
    
    		<logout invalidate-session="true" logout-success-url="/logout/success" logout-url="/logout" />
    </http>
    Often I've got the problem, when I redo a login, I won't land on normal default site after login, but on the last site I was on before I got logged out by business logic.

    I got a jsp included by
    HTML Code:
    <security:authorize ifNotGranted="ROLE_ANONYMOUS">
    	<jsp:include page="menu.jsp"></jsp:include>
    </security:authorize>
    Buttons for edit, logout and the
    HTML Code:
    SecurityContextHolder.getContext().getAuthentication().getName()
    is shown.

    When I used:
    HTML Code:
    SecurityContextHolder.getContext().getAuthentication().setAuthenticated(false);
    for logout by business logic the site needs to be refreshed to blend out the menu.

    After editing or deleting a user, when I hit the back button of the browser I don't want the User to see his menu-bar or data. You got an Idea how the sites not being cashed, or self refresh to check security context and autoforward to login page?


    Kind regards,
    chris
Working...
X