Announcement Announcement Module
Collapse
No announcement yet.
How does logout work in Spring Security compared to Acegi ? Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • How does logout work in Spring Security compared to Acegi ?

    In Acegi, in order to log out from, say, a jsp, you added a link to a logout url, and set up a logout filter as below

    <bean id="logoutFilter" class="org.acegisecurity.ui.logout.LogoutFilter"> (url as constructor arg)

    and then added the logout filter to the filter chain.

    What do you do in Spring Security ?

    I have added a <logout> section to my config, but when I click on the link it looks for logout.jsp. It's almost as if there is no logout filter intercepting this "fake" url.

    Do I have to add a logout filter somewhere ?

  • #2
    <logout /> adds a LogoutFilter to the chain, so the behaviour is the same. The default URL is "/j_spring_security_logout".

    Comment


    • #3
      Originally posted by Luke Taylor View Post
      <logout /> adds a LogoutFilter to the chain, so the behaviour is the same. The default URL is "/j_spring_security_logout".
      Thanks - somehwat simpler !

      Comment


      • #4
        Originally posted by Luke Taylor View Post
        <logout /> adds a LogoutFilter to the chain, so the behaviour is the same. The default URL is "/j_spring_security_logout".
        Any chance you might document this in the Spring Security Reference Guide? A few sentences about how to implement a logout in the simplest case wouldn't hurt.

        Comment


        • #5
          /j_spring_security_logout not working

          Inside the <http></http> section of my applicationContext-security.xml I have a <logout/> tag.

          I issue a GET request to <web app context>/j_spring_security_logout (something like http://example.com/members/j_spring_security_logout) and find that when I check the principal (req.getUserPricipal()) and my roles (req.isUserInRole()) that I am still logged in.

          What gives?

          Comment


          • #6
            Did you get a solution to this?

            Comment


            • #7
              Not yet. I've compared my applicationContext-security.xml with the one used in the petclinic example (which works) and I am lost as to the difference that would cause my app not to work.

              Here is my applcationContext-security.xml:

              <?xml version="1.0" encoding="UTF-8"?>

              <beans:beans xmlns="http://www.springframework.org/schema/security"
              xmlns:beans="http://www.springframework.org/schema/beans"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schem...-beans-2.0.xsd
              http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">

              <http auto-config="true">
              <intercept-url pattern="/" filters="none"/>
              <intercept-url pattern="/index.htm*" filters="none"/>
              <intercept-url pattern="/showFullMemberList.htm*" filters="none"/>
              <intercept-url pattern="/css/**" filters="none"/>
              <intercept-url pattern="/js/**" filters="none"/>
              <intercept-url pattern="/images/**" filters="none"/>
              <intercept-url pattern="/showCategoryList.htm*" filters="none" />
              <intercept-url pattern="/busframes.html*" filters="none" />
              <intercept-url pattern="/inactivateMember.htm*" access="ROLE_SUPERVISOR" />
              <intercept-url pattern="/activateMember.htm*" access="ROLE_SUPERVISOR" />
              <intercept-url pattern="/showPendingChangeList.htm*" access="ROLE_SUPERVISOR" />
              <intercept-url pattern="/showUserList.htm*" access="ROLE_SUPERVISOR" />
              <intercept-url pattern="/showEditUserForm.htm*" access="ROLE_SUPERVISOR,ROLE_MEMBER" />
              <intercept-url pattern="/saveUser.htm*" access="ROLE_SUPERVISOR" />
              <intercept-url pattern="/**" access="ROLE_MEMBER" />
              </http>

              <authentication-provider>
              <jdbc-user-service data-source-ref="dataSource"/>
              </authentication-provider>
              </beans:beans>

              Comment


              • #8
                Actually, it looks like this works now.

                Comment

                Working...
                X