Announcement Announcement Module
No announcement yet.
Invalidate session user in Oauth 2.0 Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Invalidate session user in Oauth 2.0


    I want to ask whether I can implement my own handler instead defined in spring configuration (spring-servlet.xml) to process logout that is invalidate or remove user security context and session?

    I use this snippet code in my Spring MVC to invalidate user security context and session in logout handler :

    // Cleaning security context and Session //
    CookieClearingLogoutHandler cookieClearingLogoutHandler = new CookieClearingLogoutHandler(AbstractRememberMeServ ices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
    SecurityContextLogoutHandler securityContextLogoutHandler = new SecurityContextLogoutHandler();
    cookieClearingLogoutHandler.logout(request, response, null);
    securityContextLogoutHandler.logout(request, response, null);

    The scenario that i have test with 1 user, that is :
    1. The system is clear from user session at all.
    2. So when client via the apps (client) access, it show user login.
    3. after authenticated, it show client authorization
    4. after authorization, generated auth_code and exchange it with access_code.
    5. after get access_code, user logout from the system
    6. system response with response_code = 00, logout = true (my custom message).
    7. in this point, i assume user session is invalidate or destroyed. So when user access the system again, it will show login page again.
    8. user via the apps (client) access the system again, but it's not displaying the login page (user session still exist).

    Any help would be appreciated

  • #2
    The normal way to handle session invalidation on logout is with a SecurityContextLogoutHandler (and your solution looks like it only clears a specific rememberme cookie, unless there's something you're not showing). You get one for free if you use the <logout/> XML DSL element.

    Note that this is not really an OAuth question, since it relates to basic Spring Security features.