0

I cant use Spring Security LogoutSuccessHandler but only in my current project. Previously, everything worker properly but now its not used.

Here is the class:

import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler;
import org.springframework.stereotype.Component;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

@Component("customLogoutSuccessHandler") //or implements LogoutSuccessHandler
public class CustomLogoutSuccessHandler extends SimpleUrlLogoutSuccessHandler {
    @Override
    public void onLogoutSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException, ServletException {
        System.err.println("LOGOUT HANDLER HERE");
    }
}

And here is my xml config

<security:http auto-config="false" >               
           <security:logout logout-url="/logout" success-handler-ref="customLogoutSuccessHandler"/>
           <security:form-login login-page="/login" default-target-url="/"/>
           <security:csrf/>
</security:http>

Whats wrong with the code? onLogoutSuccess method is never run even if I am logged out:

@RequestMapping(value = "/logout")
public String logout(){
    SecurityContextHolder.clearContext();
    return "redirect:/";
}

Why?

azalut
  • 4,094
  • 7
  • 33
  • 46
  • possible duplicate of [Spring Security Logout session is not invalidated \[SOLVED\]](http://stackoverflow.com/questions/29811266/spring-security-logout-session-is-not-invalidated-solved) – Neil McGuigan Jul 14 '15 at 19:03

1 Answers1

1

You are not doing much in logout() method, so probably its easier to just remove it - /logout is a default logout url in spring security and it should serve it (clearing context)for you. You are probably breaking filter chain using redirect:/

hi_my_name_is
  • 4,894
  • 3
  • 34
  • 50
  • yes but the problem is, that when I remove method mapped /logout (from controller) then nothing happens and I cant logout.. I have no idea why. Adding the /logout mapped-method is the only way I've found to logout. I've also commented the method and the onLogoutSuccess method still didnt get executed – azalut Jul 14 '15 at 07:42
  • /logout use POST by default. Take a look here http://stackoverflow.com/questions/24108585/spring-security-java-config-not-generating-logout-url – hi_my_name_is Jul 14 '15 at 08:44
  • oh my god, that was the problem.. thanks @freakman btw do you know how to configure it with xml? i can of course use form but it created boilerplate code, using GET would be more convenient – azalut Jul 14 '15 at 09:57
  • sorry, left xml world long ago :) – hi_my_name_is Jul 14 '15 at 10:26
  • there are still a lot of people who use XML because of being more readable. So far I have used javaconfig only and now created xml project and cant figure out why was javaconfig needed? What does it solve? – azalut Jul 14 '15 at 10:28
  • its a topic for long discussion but...its a matter of preference I believe. For me its more readable. Easier to configure beans with IDE java support in terms of providing dependencies. You can debug by breakpoint either bean is created or not. Its convenient to write integration tests when you can use inner static configuration class ( https://spring.io/blog/2011/06/21/spring-3-1-m2-testing-with-configuration-classes-and-profiles and/or profiles. + you write code in java, why to configure it in any different language? :) + spring examples from docs are all in java now... and so on – hi_my_name_is Jul 14 '15 at 10:41
  • but yes, spring security in java config is kind of a pain. I somehow dont follow this api :) – hi_my_name_is Jul 14 '15 at 10:43
  • exactly, everithing is going into point where only javaconfig examples will be available; but for me separating "config thing" to xml and "business and logic" to java is better option than mixing it :) as you said, matter of preference. However, even if it is not so convenient for me, my next project will use javaconfig i suppose – azalut Jul 14 '15 at 11:10