Hi. I am a new user of acegi and i do have question regarding invalidation of session upon logging out. In my application, i only had the line "session.invalidate();" in the action. when i tried getting the authentication object from the context holeder (which i think holds the user's info), after "session.invalidate()", the authentication object is not null.so when the user tries clicking "BACK" button (in the browser), he/she is directed to his/her previously visited page.
I am using the code below to extract the authentication object:
SecureContext sContext=((SecureContext)ContextHolder.getContext( ));
Authentication auth = sContext.getAuthentication();
i had included in the bean filterInvocationInceptor(applicationContext-acegi-secutity.xml) that all my jsp pages would require an authority "ROLE_SOMEROLE", but since i am still getting the user's granted authority (even after logging off), my user is able to navigate back to the previous page.
I am just playing around here.. so i had tried:
HttpSessionIntegrationFilter hsif= new HttpSessionIntegrationFilter();
but still not working. when i try
SecureContext sContext2=((SecureContext)ContextHolder.getContext ());
Authentication auth 2= sContext2.getAuthentication();
again, auth2 returns what my other variable auth returns.
Please help. any will be much appreciated. thanks in advance!