Announcement Announcement Module
Collapse
No announcement yet.
HOWTO: Acegi Logout Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • HOWTO: Acegi Logout

    All,

    I have been looking for a way to issue a logout commnad with acegi. Is there something I am missing? I tried to just invalidate the session, but that doesn't seem to do it.

    Thanks in advance.

    Dan

  • #2
    In your controller set ContextHolder to null.

    AutoIntegrationFilter or whatever subclass of AbstractIntegrationFilter you're using will overwrite the HttpSession (or other well-known location) at the end of the web request.

    Comment


    • #3
      Ben,

      Thanks, I will give it a try.

      Dan

      Comment


      • #4
        Do you mean to say you set the Context on the ContextHolder to null?

        Comment


        • #5
          Yes, sorry.

          Comment


          • #6
            I've created a HttpSessionListener that sets the Context to null on session invalidation.

            Here's it is:

            Code:
            package net.sf.acegisecurity.ui;
            
            import org.apache.commons.logging.Log;
            import org.apache.commons.logging.LogFactory;
            
            import javax.servlet.http.HttpSessionEvent;
            import javax.servlet.http.HttpSessionListener;
            
            
            /**
             * @author  Andreas Brenk
             */
            public class AbstractIntegrationListener implements HttpSessionListener {
            
                //~ Static fields/initializers ---------------------------------------------
            
                protected static final Log logger = LogFactory.getLog(AbstractIntegrationListener.class);
            
                //~ Methods ----------------------------------------------------------------
            
                /**
                 * @see  javax.servlet.http.HttpSessionListener#sessionCreated(javax.servlet.http.HttpSessionEvent)
                 */
                public void sessionCreated(HttpSessionEvent se) {
                }
            
                /**
                 * @see  javax.servlet.http.HttpSessionListener#sessionDestroyed(javax.servlet.http.HttpSessionEvent)
                 */
                public void sessionDestroyed(HttpSessionEvent se) {
                }
            }
            and
            Code:
            package net.sf.acegisecurity.ui.webapp;
            
            import net.sf.acegisecurity.context.ContextHolder;
            import net.sf.acegisecurity.ui.AbstractIntegrationListener;
            
            import javax.servlet.http.HttpSessionEvent;
            
            
            /**
             * In web.xml:
             * 
             *   <listener&gt;
             *       <listener-class&gt;net.sf.acegisecurity.ui.webapp.HttpSessionIntegrationListener</listener-class&gt;
             *   </listener&gt;
             * 
             * @author  Andreas Brenk
             */
            public class HttpSessionIntegrationListener
                extends AbstractIntegrationListener &#123;
            
                //~ Methods ----------------------------------------------------------------
            
                public void sessionDestroyed&#40;HttpSessionEvent se&#41; &#123;
            
                    if &#40;logger.isInfoEnabled&#40;&#41;&#41; &#123;
                        logger.info&#40;"Removing Context from ContextHolder"&#41;;
                    &#125;
            
                    ContextHolder.setContext&#40;null&#41;;
                &#125;
            &#125;
            I'd be delighted if it could be included in the official release.

            Regards,
            Andreas

            Comment


            • #7
              If AbstractIntegrationFilter is working properly, it will automatically ContextHolder.setContext(null) at the end of each request. As such what value does a HttpSessionListener add?

              Comment


              • #8
                In 0.50 I simply called request.getSession().invalidate() during logout and everything was fine. After an upgrade to 0.51 this produced "IllegalStateException: Cannot create a session after the response has been committed". The Listener was my solution.

                This way the controller also would not be directly coupled to ContextHolder.

                But please correct me, I'm always keen to learn.

                AB

                Comment


                • #9
                  You can provide a logout function by simply invalidating the HttpSession. As the request will still end normally, the AbstractIntegrationFilter will tidy up the ContextHolder (set it to null) and the session invalidation takes care of removing the HttpSession-stored Authentication object.

                  So I still can't see any reason to use a HttpSessionListener for the purpose of logout in a normal situation. Some people might need it though, it they had very special needs like tracking simultaneous logins etc.

                  Comment


                  • #10
                    acegi logout

                    i know this was asked a long time ago, but i think invalidating the session doesn't always work for some people. this worked for me.


                    import org.acegisecurity.context.SecurityContextHolder;
                    import org.springframework.web.servlet.ModelAndView;
                    import org.springframework.web.servlet.mvc.AbstractContro ller;

                    public class LogoutController extends AbstractController {

                    private String redirect;

                    public String getRedirect() {
                    return redirect;
                    }

                    @Override
                    protected ModelAndView handleRequestInternal(HttpServletRequest request,
                    HttpServletResponse response) throws Exception {

                    SecurityContextHolder.getContext().setAuthenticati on(null);

                    return new ModelAndView(redirect);
                    }

                    public void setRedirect(String redirect) {
                    this.redirect = redirect;
                    }

                    }

                    Comment


                    • #11
                      Logout functionality is now provided through the LogoutFilter.

                      Comment

                      Working...
                      X