Announcement Announcement Module
No announcement yet.
Logout problems - SecurityContextHolder.getContext().getAuthenticati on() returns null Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Logout problems - SecurityContextHolder.getContext().getAuthenticati on() returns null


    I am running 1.0.0 RC1 and cannot get global or local logout to work.

    1. Goto http://<server>:<port>/spring-security-saml2-sample/index.jsp
    2. Get redirected to my IDP
    3. Do login at IDP
    4. I am redirected back to "http://<server>:<port>/spring-security-saml2-sample/index.jsp;jsessionid=69A8A4BDFCE9D12AE003CB2AFC69E 808"
    On this page, I see:
    User has been authenticated
    and the links at the bottom:
    Global Logout
    Local Logout
    5. Click on "Global Logout" link
    6. I end up on http://<server>:<port>/spring-security-saml2-sample/logout.jsp
    and see:
    You have been logged out.
    Back to index
    7. When I click the "Back to index" link, I still see what I saw in step 4 -- like I was never logged out.
    The only difference I can see is that the URL in the browser is now just (no jsessionid parameter):

    When I remote debug into processLogout() method in SAMLLogoutFilter, on line 124:
    Authentication auth = SecurityContextHolder.getContext().getAuthenticati on();

    SecurityContextHolder.getContext().getAuthenticati on() returns null and is assigned to "auth"

    Since the next line checks whether "auth" is null:
    if (auth != null && isGlobalLogout(request, auth)) {

    most of the logout code seems to be skipped.

    If I try "Local logout", I see the same behavior.

    Any information or hints on why I would be running into this condition or how to get logout to work would be greatly appreciated.

  • #2

    Are you using the default sample application or have you made some customizations? What application server are you using? Is there any chance you're combining http and https in the same application?

    Please enable complete tracing as per chapter 7.1 in the manual and also include "". If you could then reproduce the problem and post the logging result; it will help to analyze this issue.

    Vladimír Schäfer


    • #3
      Hi Vladimír,

      Thank you for your prompt consideration.

      I had some simple customization to SAMLProcessingFilter.attemptAuthentication() via a subclass that stores some of the results of the authentication information returned by SAMLProcessingFilter.attemptAuthentication().

      I am using Tomcat 6.0.35.

      Based on your questions, I decided to start from scratch and build my sample SP from the RC2 release.
      The logout function in the out-of-box sample works as expected against my IDP.
      I then re-applied my customizations by modifying securityContext.xml and adding my classes and jars to the webapp. The logout function continues to work as expected!

      Since I now have a working system using the latest release bundle, I am not going to worry too much about why it did not work in the previous configuration.

      Thanks for your hints and as others have already said: great project!


      Last edited by rcc; Mar 26th, 2013, 01:03 PM. Reason: typo