HOWTO: Acegi Logout

**dmfrey** · Oct 1st, 2004, 11:20 AM

All,

I have been looking for a way to issue a logout commnad with acegi. Is there something I am missing? I tried to just invalidate the session, but that doesn't seem to do it.

Thanks in advance.

Dan

**Ben Alex** · Oct 1st, 2004, 09:22 PM

In your controller set ContextHolder to null.

AutoIntegrationFilter or whatever subclass of AbstractIntegrationFilter you're using will overwrite the HttpSession (or other well-known location) at the end of the web request.

**dmfrey** · Oct 3rd, 2004, 10:25 AM

Ben,

Thanks, I will give it a try.

Dan

**smccrory** · Oct 3rd, 2004, 07:56 PM

Do you mean to say you set the Context on the ContextHolder to null?

**Ben Alex** · Oct 4th, 2004, 03:48 PM

Yes, sorry.

**abrenk** · Oct 15th, 2004, 07:51 AM

I've created a HttpSessionListener that sets the Context to null on session invalidation.

Here's it is:

Code:

package net.sf.acegisecurity.ui;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

import javax.servlet.http.HttpSessionEvent;
import javax.servlet.http.HttpSessionListener;


/**
 * @author  Andreas Brenk
 */
public class AbstractIntegrationListener implements HttpSessionListener &#123;

    //~ Static fields/initializers ---------------------------------------------

    protected static final Log logger = LogFactory.getLog&#40;AbstractIntegrationListener.class&#41;;

    //~ Methods ----------------------------------------------------------------

    /**
     * @see  javax.servlet.http.HttpSessionListener#sessionCreated&#40;javax.servlet.http.HttpSessionEvent&#41;
     */
    public void sessionCreated&#40;HttpSessionEvent se&#41; &#123;
    &#125;

    /**
     * @see  javax.servlet.http.HttpSessionListener#sessionDestroyed&#40;javax.servlet.http.HttpSessionEvent&#41;
     */
    public void sessionDestroyed&#40;HttpSessionEvent se&#41; &#123;
    &#125;
&#125;

and

Code:

package net.sf.acegisecurity.ui.webapp;

import net.sf.acegisecurity.context.ContextHolder;
import net.sf.acegisecurity.ui.AbstractIntegrationListener;

import javax.servlet.http.HttpSessionEvent;


/**
 * In web.xml&#58;
 * 
 *   <listener&gt;
 *       <listener-class&gt;net.sf.acegisecurity.ui.webapp.HttpSessionIntegrationListener</listener-class&gt;
 *   </listener&gt;
 * 
 * @author  Andreas Brenk
 */
public class HttpSessionIntegrationListener
    extends AbstractIntegrationListener &#123;

    //~ Methods ----------------------------------------------------------------

    public void sessionDestroyed&#40;HttpSessionEvent se&#41; &#123;

        if &#40;logger.isInfoEnabled&#40;&#41;&#41; &#123;
            logger.info&#40;"Removing Context from ContextHolder"&#41;;
        &#125;

        ContextHolder.setContext&#40;null&#41;;
    &#125;
&#125;

I'd be delighted if it could be included in the official release.

Regards,
Andreas

**Ben Alex** · Oct 15th, 2004, 07:55 AM

If AbstractIntegrationFilter is working properly, it will automatically ContextHolder.setContext(null) at the end of each request. As such what value does a HttpSessionListener add?

**abrenk** · Oct 15th, 2004, 08:12 AM

In 0.50 I simply called request.getSession().invalidate() during logout and everything was fine. After an upgrade to 0.51 this produced "IllegalStateException: Cannot create a session after the response has been committed". The Listener was my solution.

This way the controller also would not be directly coupled to ContextHolder.

But please correct me, I'm always keen to learn.

AB

**Ben Alex** · Oct 15th, 2004, 08:48 AM

You can provide a logout function by simply invalidating the HttpSession. As the request will still end normally, the AbstractIntegrationFilter will tidy up the ContextHolder (set it to null) and the session invalidation takes care of removing the HttpSession-stored Authentication object.

So I still can't see any reason to use a HttpSessionListener for the purpose of logout in a normal situation. Some people might need it though, it they had very special needs like tracking simultaneous logins etc.

**sodamnmad** · Nov 2nd, 2007, 03:48 AM

i know this was asked a long time ago, but i think invalidating the session doesn't always work for some people. this worked for me.

import org.acegisecurity.context.SecurityContextHolder;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.mvc.AbstractContro ller;

public class LogoutController extends AbstractController {

private String redirect;

public String getRedirect() {
return redirect;
}

@Override
protected ModelAndView handleRequestInternal(HttpServletRequest request,
HttpServletResponse response) throws Exception {

SecurityContextHolder.getContext().setAuthenticati on(null);

return new ModelAndView(redirect);
}

public void setRedirect(String redirect) {
this.redirect = redirect;
}

}

Thread: HOWTO: Acegi Logout

Thread Tools

Display

HOWTO: Acegi Logout

acegi logout

Similar Threads

WebSphere for Authentication and Acegi for Authorization ?

Acegi running fine. Howto add roles, ...

ACEGI 0.8.2 + CAS 3.0: Global logout and user refresh

Acegi for LDAP

logout method

Posting Permissions