Spring security custom LogoutHandler not called
As you want to use your custom filter instead of spring security default log out filter, add this line to logout filter bean
<security:custom-filter position="LOGOUT_FILTER"/>
or add this line in your spring security config
<security:custom-filter ref="logoutFilter" position="LOGOUT_FILTER"/>
Editted
<security:http use-expressions="true">
<security:intercept-url pattern="/logoutSuccess"
access="permitAll" />
<security:logout logout-url="/logout"
logout-success-url="/logoutSuccess" success-handler-ref="myLogoutHandler" />
</security:http>
<bean id="myLogoutHandler" class="my.package.MyLogoutHandler" />
Also you can implement LogoutSuccessHandler interface instead of LogoutHandler
Edit2
ok, so if you dont want to call your handler after logout is complete, remove logout tag and set everything in logout filter bean
<bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<constructor-arg index="0" value="/logoutSuccess" />
<constructor-arg index="1">
<list>
<bean id="securityContextLogoutHandler"
class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
<bean id="myLogoutHandler" class="my.package.MyLogoutHandler" />
</list>
</constructor-arg>
<property name="filterProcessesUrl" value="/logout" />
</bean>
And add <security:custom-filter ref="logoutFilter" position="LOGOUT_FILTER"/>
Related videos on Youtube
Ayelet
Updated on June 14, 2022Comments
-
Ayelet about 2 years
I've implemented my own LogoutHandler and I'm trying to configure it in the spring security xml, but for some reason it's not being called on logout (the logout is successful, but my code isn't executed).
This is my security.xml:
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <security:http use-expressions="true"> <security:intercept-url pattern="/logoutSuccess" access="permitAll" /> <security:logout logout-url="/logout" logout-success-url="/logoutSuccess" /> </security:http> <bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter"> <constructor-arg index="0" value="/logoutSuccess" /> <constructor-arg index="1"> <list> <bean id="securityContextLogoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" /> <bean id="myLogoutHandler" class="my.package.MyLogoutHandler" /> </list> </constructor-arg> <property name="filterProcessesUrl" value="/logout" /> </bean>
MyLogoutHandler - this is what I want to execute on logout, but it's not being called:
import org.springframework.security.web.authentication.logout.LogoutHandler; public class MyLogoutHandler implements LogoutHandler { @Override public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) { System.out.println("logout!"); } }
Does anyone have any idea why it's not working? Thanks!
-
Ayelet over 10 yearsThanks, but when I add it to the logout filter bean I get the following error: cvc-complex-type.2.4.a: Invalid content was found starting with element 'custom-filter' And When I try to it to the security config I get the following error when running tomcat: Configuration problem: Filter beans '<logoutFilter>' and 'Root bean: class [org.springframework.security.web.authentication.logout.LogoutFilter]; ... have the same 'order' value.
-
coder over 10 yearscan you post error details please, also please try <security:custom-filter position="LOGOUT_FILTER"/>, i.e. add security name space before custom-filter tag
-
Ayelet over 10 yearsI tried that inside the bean, but got this error: Configuration problem: Security namespace does not support decoration of element [custom-filter]
-
coder over 10 yearsThe problem is that <logout> also adds a logout filter to filter stack that is conflicting with your one, instead of defining your custom logout filter, simply add success-handler-ref=myLogoutHandler in logout tag itself
-
Ayelet over 10 yearsBut I want my code to be executed before the logout success, so I can use some of the session details (the above code is just an example...).
-
Ayelet over 10 yearsThank you very much! :) What you suggested in Edit2 worked perfectly.