How does logout work in Spring Security compared to Acegi ?
In Acegi, in order to log out from, say, a jsp, you added a link to a logout url, and set up a logout filter as below
<bean id="logoutFilter" class="org.acegisecurity.ui.logout.LogoutFilter"> (url as constructor arg)
and then added the logout filter to the filter chain.
What do you do in Spring Security ?
I have added a <logout> section to my config, but when I click on the link it looks for logout.jsp. It's almost as if there is no logout filter intercepting this "fake" url.
Do I have to add a logout filter somewhere ?
/j_spring_security_logout not working
Inside the <http></http> section of my applicationContext-security.xml I have a <logout/> tag.
I issue a GET request to <web app context>/j_spring_security_logout (something like http://example.com/members/j_spring_security_logout) and find that when I check the principal (req.getUserPricipal()) and my roles (req.isUserInRole()) that I am still logged in.