Hi All,

I am having an issue with spring security logout.

IN JSP I had written...


<c:url var="url" value="/j_spring_security_logout"></c:url>
<b> <a href="${url}">Logout</a> </b>


and in security.xml


<http auto-config="true" access-denied-page="/unauthorized">
<custom-filter position="PRE_AUTH_FILTER" ref="siteminderFilter" />
<intercept-url pattern="/login" filters="none" />
<intercept-url pattern="/" access="ROLE_USER,ROLE_ADMIN" />
<intercept-url pattern="/landingPage" access="ROLE_USER,ROLE_ADMIN"
requires-channel="any" />
<intercept-url pattern="/admin" access='ROLE_ADMIN' />

<form-login login-page="/login"
authentication-success-handler-ref="authenticationSuccessHandler"
authentication-failure-url="/login?login_error=1" />

<logout logout-url="/j_spring_security_logout" invalidate-session="true" logout-success-url="/login" />

</http>



when I click on logout link it is coming to login page. but when I click on back button and click some other link in the page... it is working..

Where am I wrong..?

Please help..

Are you sure the page you are seeing is not cached by your browser?

Thanks for your reply,

I am sure it is not from browser cache.
When I click back button in browser (comes back to home page) and click on any link, it is actually been invoked by the controller itself..


Any further clue..

Judging from your configuration nothing but /admin and /landingpage is secured everything else is open for anyone. So I doubt it is the fact that thelogout isn't working....

Actually I am able to goto Admin page too...

Thanks

As stated ONLY /admin and /landingpage are protected... If you have /admin/user (or whatever) it isn't secured... So as I stated I doubt it is your logout not working it is your mapping.