How does logout work in Spring Security compared to Acegi ?

Printable View

Jul 28th, 2008, 11:06 AM
Paul Newport

How does logout work in Spring Security compared to Acegi ?

In Acegi, in order to log out from, say, a jsp, you added a link to a logout url, and set up a logout filter as below

<bean id="logoutFilter" class="org.acegisecurity.ui.logout.LogoutFilter"> (url as constructor arg)

and then added the logout filter to the filter chain.

What do you do in Spring Security ?

I have added a <logout> section to my config, but when I click on the link it looks for logout.jsp. It's almost as if there is no logout filter intercepting this "fake" url.

Do I have to add a logout filter somewhere ?
Jul 28th, 2008, 11:44 AM
Luke Taylor

<logout /> adds a LogoutFilter to the chain, so the behaviour is the same. The default URL is "/j_spring_security_logout".
Jul 29th, 2008, 03:14 AM
Paul Newport

Quote:

Originally Posted by Luke Taylor

<logout /> adds a LogoutFilter to the chain, so the behaviour is the same. The default URL is "/j_spring_security_logout".

Thanks - somehwat simpler !
Aug 8th, 2008, 04:25 PM
lumpynose

Quote:

Originally Posted by Luke Taylor

<logout /> adds a LogoutFilter to the chain, so the behaviour is the same. The default URL is "/j_spring_security_logout".

Any chance you might document this in the Spring Security Reference Guide? A few sentences about how to implement a logout in the simplest case wouldn't hurt.
Sep 24th, 2008, 10:43 AM
jackcholt

/j_spring_security_logout not working

Inside the <http></http> section of my applicationContext-security.xml I have a <logout/> tag.

I issue a GET request to <web app context>/j_spring_security_logout (something like http://example.com/members/j_spring_security_logout) and find that when I check the principal (req.getUserPricipal()) and my roles (req.isUserInRole()) that I am still logged in.

What gives?
Sep 30th, 2008, 02:54 PM
J Ball

Did you get a solution to this?
Oct 1st, 2008, 12:38 PM
jackcholt

Not yet. I've compared my applicationContext-security.xml with the one used in the petclinic example (which works) and I am lost as to the difference that would cause my app not to work.

Here is my applcationContext-security.xml:

<?xml version="1.0" encoding="UTF-8"?>

<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schem...-beans-2.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">

<http auto-config="true">
<intercept-url pattern="/" filters="none"/>
<intercept-url pattern="/index.htm*" filters="none"/>
<intercept-url pattern="/showFullMemberList.htm*" filters="none"/>
<intercept-url pattern="/css/**" filters="none"/>
<intercept-url pattern="/js/**" filters="none"/>
<intercept-url pattern="/images/**" filters="none"/>
<intercept-url pattern="/showCategoryList.htm*" filters="none" />
<intercept-url pattern="/busframes.html*" filters="none" />
<intercept-url pattern="/inactivateMember.htm*" access="ROLE_SUPERVISOR" />
<intercept-url pattern="/activateMember.htm*" access="ROLE_SUPERVISOR" />
<intercept-url pattern="/showPendingChangeList.htm*" access="ROLE_SUPERVISOR" />
<intercept-url pattern="/showUserList.htm*" access="ROLE_SUPERVISOR" />
<intercept-url pattern="/showEditUserForm.htm*" access="ROLE_SUPERVISOR,ROLE_MEMBER" />
<intercept-url pattern="/saveUser.htm*" access="ROLE_SUPERVISOR" />
<intercept-url pattern="/**" access="ROLE_MEMBER" />
</http>

<authentication-provider>
<jdbc-user-service data-source-ref="dataSource"/>
</authentication-provider>
</beans:beans>
Oct 1st, 2008, 05:27 PM
jackcholt

Actually, it looks like this works now.