Announcement Announcement Module
No announcement yet.
destroy session upon logging out.Help! Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • destroy session upon logging out.Help!

    Hi. I am a new user of acegi and i do have question regarding invalidation of session upon logging out. In my application, i only had the line "session.invalidate();" in the action. when i tried getting the authentication object from the context holeder (which i think holds the user's info), after "session.invalidate()", the authentication object is not when the user tries clicking "BACK" button (in the browser), he/she is directed to his/her previously visited page.

    I am using the code below to extract the authentication object:
    SecureContext sContext=((SecureContext)ContextHolder.getContext( ));
    Authentication auth = sContext.getAuthentication();

    i had included in the bean filterInvocationInceptor(applicationContext-acegi-secutity.xml) that all my jsp pages would require an authority "ROLE_SOMEROLE", but since i am still getting the user's granted authority (even after logging off), my user is able to navigate back to the previous page.

    I am just playing around here.. so i had tried:
    HttpSessionIntegrationFilter hsif= new HttpSessionIntegrationFilter();
    but still not working. when i try
    SecureContext sContext2=((SecureContext)ContextHolder.getContext ());
    Authentication auth 2= sContext2.getAuthentication();
    again, auth2 returns what my other variable auth returns.

    Please help. any will be much appreciated. thanks in advance!

  • #2
    That's a bit odd, and I'd suggest it's related to your filter ordering being incorrect. Check out Note 0.8.0 will be released today, so you're probably best off waiting and getting it working with that release (ContextHolder management has changed).