logout leaves protected resource accessible
Hi,
I am trying to set up a simple j_spring_security_logout example, and am running into the following problem:
When I enter a url of a protected resource into the browser, I am redirected to the login page as expected. But after logging out, if enter that same url of the same protected resource into the same browser window again, I am not redirected to a login page, but instead am taken directly to that resource (even though im logged out). But I know the logout is somewhat working because if i try to access a different protected resource instead, I am redirected to the login page. Can anyone help me understand why this is happening? Shouldnt I have to log in again to access a protected resource after logging out?
Any help would be greatly appreciated as ive spent all night on this already ;(
Thank you!
Here is the code/steps to reproduce:
ProtectedOne.html:
Code:
...
protected resource one
<a href="j_spring_security_logout">logout</a>
...
ProtectedTwo.html:
Code:
...
protected resource two
<a href="j_spring_security_logout">logout</a>
...
Spring Security Config:
Code:
...
<http>
<intercept-url pattern="/bye.html" filters='none'/>
<intercept-url pattern="/home.html" filters='none'/>
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login />
<logout logout-success-url="/bye.html"/>
</http>
...
1) Type in /ProtectedOne.html in browser (you will be redirected to log in page)
2) Log in with user/pass that has ROLE_USER (you will be directed back to /ProtectedOne.html)
3) Click logout link (you will be directed to /bye.html)
4) Type in /ProtectedOne.html in browser again, notice it DOES NOT make you log, but takes you straight to /ProtectedOne.html
5) Type in /ProtectedTwo.html in broeser again, notice it DOES make you log in before taking you to /ProtectedTwo.html
