Announcement Announcement Module
Collapse
No announcement yet.
Help? Does j_spring_security_logout invalidate session Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Help? Does j_spring_security_logout invalidate session

    Hi,

    I need a clarification in the logout process of spring security. I want to know if sessions will be invalidated when logout is done using j_spring_security_logout.

    I am not writing any specific code except calling j_spring_security_logout when logout link is clicked. Is there anything else that I should do. I have given below the configuration done by me and the JSP code fragment.

    Any guidance would great.

    Thanks

    Configuration in springsecurity xml

    <security:http entry-point-ref="myAuthenticationEntryPoint" session-fixation-protection="newSession" >

    <security:intercept-url pattern="/login/**" />
    <security:intercept-url pattern="/dashboard/dashboard.htm" access="ROLE_ADMIN, ROLE_USER, ROLE_USER1"/>
    <security:intercept-url pattern="/**" access="ROLE_ADMIN, ROLE_USER, ROLE_USER1"/>
    <security:logout logout-success-url="/login.htm"/>
    <security:anonymous username="guest" granted-authority="ROLE_ADMIN, ROLE_USER, ROLE_USER1"/>
    </security:http>


    JSP code
    <a href='<c:url value="/j_spring_security_logout"/>'>Log out</a>

  • #2
    Help? Does j_spring_security_logout invalidate session

    Hi,

    I have not tried it..but found following

    '/j_spring_security_logout' of LogoutFilter is similar to '/j_spring_security_check' of AuthenticationProcessingFilter but for logout.

    E.g. LogoutFilter will process logout when client request /j_spring_security_logout url. LogoutFilter delegates work to list of LogoutHandler, one of which does session invalidation (SecurityContextLogoutHandler)

    Hope this help you...

    Also please let me know your final solution for implementing logout.

    Thanks,
    Nisha

    Comment


    • #3
      By default, the session is invalidated. You can override this behavior using invalidate-session="false" on the <logout> element in your configuration.

      Comment


      • #4
        Logout

        Hi,

        Thanks for all your suggestions.

        I used the following code to get it working
        [CODE]
        <a href='<c:url value="/j_spring_security_logout"/>'>Log out</a>
        [CODE]

        However, I am now facing another issue with respect to the session time out. I am using a sessionexpiry filter, which gets called for even the login page. I have put this as a separate thread. Any help in this would be greatly appreciated.

        Thanks

        Comment

        Working...
        X