Announcement Announcement Module
Collapse
No announcement yet.
logout leaves protected resource accessible Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • logout leaves protected resource accessible

    Hi,

    I am trying to set up a simple j_spring_security_logout example, and am running into the following problem:

    When I enter a url of a protected resource into the browser, I am redirected to the login page as expected. But after logging out, if enter that same url of the same protected resource into the same browser window again, I am not redirected to a login page, but instead am taken directly to that resource (even though im logged out). But I know the logout is somewhat working because if i try to access a different protected resource instead, I am redirected to the login page. Can anyone help me understand why this is happening? Shouldnt I have to log in again to access a protected resource after logging out?

    Any help would be greatly appreciated as ive spent all night on this already ;(

    Thank you!

    Here is the code/steps to reproduce:

    ProtectedOne.html:
    Code:
    ...
    protected resource one
    <a href="j_spring_security_logout">logout</a>
    ...
    ProtectedTwo.html:
    Code:
    ...
    protected resource two
    <a href="j_spring_security_logout">logout</a>
    ...
    Spring Security Config:
    Code:
    ...
       <http>
         <intercept-url pattern="/bye.html" filters='none'/>  
         <intercept-url pattern="/home.html" filters='none'/>  
         <intercept-url pattern="/**" access="ROLE_USER" />
         <form-login />
         <logout logout-success-url="/bye.html"/>
      </http>
    ...
    1) Type in /ProtectedOne.html in browser (you will be redirected to log in page)
    2) Log in with user/pass that has ROLE_USER (you will be directed back to /ProtectedOne.html)
    3) Click logout link (you will be directed to /bye.html)
    4) Type in /ProtectedOne.html in browser again, notice it DOES NOT make you log, but takes you straight to /ProtectedOne.html
    5) Type in /ProtectedTwo.html in broeser again, notice it DOES make you log in before taking you to /ProtectedTwo.html

  • #2
    Disable caching for protected pages. If you don't you will have the behavior you describe, because you basically see the cached page in the browsers memory..

    Comment


    • #3
      Thanks, that was the problem exactly.

      Comment

      Working...
      X