spring security logout trigger

Question

I want to remove logged out user from a Hashmap I have for logged in users but I don't find the way to do this as when I press the logout link. It just redirected to login page.

In spring security I have

 <logout invalidate-session="true" 
        logout-success-url="/" 
        logout-url="/logout.htm"/>

logout link is like

 <a href="logout.htm">Logout</a>

When I press this link it just go to my login mapping

 @RequestMapping("login")
public ModelAndView login(){}

and when I try to get user detail using

  SecurityContextHolder.getContext()
            .getAuthentication().getPrincipal();

it returns me anonymous user. So how can I get the logged out user detail.

Please let me know if you need more details.

score 3 · Answer 1 · edited May 23 '17 at 12:04

Add an implementation of org.springframework.security.web.authentication.logout.LogoutSuccessHandler interface as a bean to your security context.

Then you can use it:

<logout success-handler-ref="yourLogoutSuccessHandler" />

EDIT. As mentioned by Marcel this solution will not work out of the box because you can't mix success-handler-ref and logout-success-url attributes (reference). I prefer slightly different solution : instead of inheritance, you can use composition:

Prepare configuratio for SimpleUrlLogoutSuccessHandler bean.
Set up logout-success-url via corresponding defaultTargetUrl property.
Inject SimpleUrlLogoutSuccessHandler bean into your CustomUrlLogoutSuccessHandler using LogoutSuccessHandler interface and call it after doing your stuff.

Advantage is that you will be less coupled with a framework code. So you will have less problems in a case of migration from Spring Security 3.1 to Spring Security Y.Y

score 2 · Accepted Answer · edited May 23 '17 at 12:18

2

The hint about the LogoutSuccessHandler is correct. However, you have to consider that configuring success-handler-ref and logout-success-url are mutually exclusive if I'm not mistaken. Hence, you need to implement the forwarding to URL manually in your success handler. Pointer: https://stackoverflow.com/a/6770785/131929

edited May 23 '17 at 12:18

Community

1
1

answered Dec 18 '12 at 20:34

Marcel Stör

22,695
19
92
198

Good point. My answer was updated according to your hint. Thank you! – Maksym Demidas Dec 19 '12 at 10:36

score 0 · Answer 3 · answered Dec 19 '12 at 11:21

0

Authentication authentication = SecurityContextHolder.getContext().getAuthentication()
authentication.getName()

answered Dec 19 '12 at 11:21

swamy

1,200
10
23

score 0 · Answer 4 · edited Jun 12 '14 at 10:31

In your applicationContext-security.xml file add the success-handler like below

< logout logout-url="/resources/j_spring_security_logout" success-handler-ref="com.mycompany.security.SpringSecurityLogoutHandler" />

Create the Class which will be implemneting org.springframework.security.web.authentication.logout.LogoutHandler interface and in it's logout method do all the stuff you want at the time of logout.

spring security logout trigger

4 Answers4