Spring Security 3.1 redirect after logout

spring redirect spring-security
15,770

Solution 1

Since you have custom logic for redirecting, you need a custom LogoutSuccessHandler. In this handler, you need to add this logic:

String refererUrl = request.getHeader("Referer");
String normalizedRefererUrl = ...; // "Normalize" (if needed) the URL so it is in the form that you need.

if (requiresAuthentication(normalizedRefererUrl, authentication)) {
    response.sendRedirect(request.getContextPath()); // home page
} else {
    response.sendRedirect(refererUrl); // or normalizedUrl
}

In your requiresAuthentication() method, you need to use some part of Spring Security that determined if the URL needs authentication.
You can use a WebInvocationPrivilegeEvaluator reference there. You get a hold of it through Spring through autowiring by class (since there will be a bean implementing WebInvocationPrivilegeEvaluator).
The evaluator has a method that you can use, isAllowed(uri, authentication).

Solution 2

<security:http auto-config="true">
    <security:form-login login-page="/spring/login" 
                         login-processing-url="/spring/loginProcess"
                         default-target-url="/spring/main" 
                         authentication-failure-url="/spring/login?login_error=1" />  
    <security:logout logout-url="/spring/logout" logout-success-url="/spring/logout-success" />
</security:http>

logout-success-url from the docs or for a custom succeshandler

Share:
15,770
Mat
Author by

Mat

Studied computer science in TUL, studied graphic design in WSINF, working in Web development. Performance obsessed.

Updated on June 04, 2022

Comments

  • Mat
    Mat almost 2 years

    I was reading many tutorials and none of them is working for me... I use Spring 3.1.x with Spring Security. I have a bunch of secured url and many unsecured. Now, when the user is logged in and tries to logout I want him to stay in the same page as he was before so I use this:

    <beans:bean id="logoutSuccessHandler" class="org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler">
    <beans:property name="useReferer" value="true"/>
</beans:bean>

    This works fine, however when the user logs out from the secured page it redirects him to the login page, and I would like to redirect to home page.. How can I achieve this? Thanks in advance!

  • Mat
    Mat almost 12 years
    This wont work, it would redirec me always to the same, hardcoded URL. I want to redirect once the current URL, once to home page (depending on where the user is). What's more it's illegal to use logout-success-url with success-handler-ref (throws configuration exceptions on startup..)
  • Mat
    Mat almost 12 years
    Also the same problem. I don't want to redirect to "/" always, only when user logs out from secured page, otherwise redirect to the same url that he comes from..
  • Jigar Parekh
    Jigar Parekh almost 12 years
    then i think you should write custom success handler as suggested by Nicolae Albu
  • Mat
    Mat almost 12 years
    I like this solution most, however we have two <http> elements in the configuration so also Two WebInvocationPrivilegeEvaluator in the context, so the autowireing is not working.. ANy idas how to solve this?
  • Mat
    Mat almost 12 years
    I solved the problem, but now strange thing happens, whever I log out, the Authentication object that I receive in the custom Logout Handler is always authenticated (even though the logout is called properly..) any thoughts?
  • Nicolae Albu
    Nicolae Albu almost 12 years
    @Mat What do you mean by "is always authenticated"? Are you referring to the fact that the Authentication object is allways not null?
  • Mat
    Mat almost 12 years
    Ok, now I understand, it was my mistake. The Authentication object is not null and it's filled with the data of the user that used to be logged in before.. This solution is not the best, because isAlowed() will always return true when checking with the Authentication from before the logout (as we were on this site, so we have grants to be there...). When I pass null =, however, it always returns false;) What I did was parsing the URL and checking if it fits my seucure rules. I don't like this solution, but it works..
  • DairyLea
    DairyLea almost 11 years
    @Matt How did you solve the problem? I am getting 5 WebInvocationPrivilegeEvaluator and not sure which one to use for a given url.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

how to redirect the access denied page in spring security?
Spring Security redirect to previous page after successful login
Cannot get rid of "An Authentication object was not found in the SecurityContext" in a Spring Boot application without @WithMockUser
Configure Spring security for Ldap connection
spring security redirect based on role
Spring-Boot: Redirect and Refresh model and page
Redirect from spring controller with post parameter
Custom WebSecurityConfigurerAdapter
Spring security authrorize based on input parameter criteria
How does Spring Oauth2 login redirect work?