Dec 4th, 2008, 03:34 PM
What is j_spring_security_logout?
I am a beginner of Spring Security.
Could someone explain what is "j_spring_security_logout"?
I am trying to implement OpenID.
I downloaded "spring-security-samples-openid-2.0.4.war" and ran the example.
However, logout does not work.
When I reviewed a jsp file, the logout link refers to j_spring_security_logout, but I don't know what it is.
Please help me understand it.
Thanks in advance.
Dec 5th, 2008, 01:32 AM
'/j_spring_security_logout' of LogoutFilter is similar to '/j_spring_security_check' of AuthenticationProcessingFilter but for logout.
E.g. LogoutFilter will process logout when client request /j_spring_security_logout url. LogoutFilter delegates work to list of LogoutHandler, one of which does session invalidation (SecurityContextLogoutHandler)
Dec 7th, 2008, 03:52 PM
Could you help me find where the source code for "j_spring_security_logout"?
Is it a servlet? a macro? or what? I want to know where (which jar file) it is located in, and how it is written in detail.
Thanks in advance. and please understand my lack of knowledge.
Dec 7th, 2008, 03:54 PM
Dec 8th, 2008, 08:34 AM
Does somebody test this j_spring_security_logout for OpenID?
It seems to work in other samples in the repository, but it(logout) does not in the OpenID sample (http://repo1.maven.org/maven2/org/sp...amples-openid/).
The problem is that although I used j_spring_security_logout, I can still access to the secured web pages.
When I access to the secured web pages in a new session, my access is filtered and redirected to a log-in page, so I need to do authentication processes (OpenID authentication), which is the normal situation.
Once logged-in and then logged-out, I can access to the secured web pages without authentication, which is not the normal situation.
Could you help me?
Dec 8th, 2008, 10:43 AM
OpenID is a single-sign-on solution. So even if you log out of the application you will still be allowed back in while you are authenticated to OpenID.
Dec 8th, 2008, 02:17 PM
Is there any way to change configuration, so that I can force a complete logout after clicking the logout button in OpenID?
I think it is not secure that when I leave a public computer after "explicitly" logging out from an OpenID secured web page, somebody can access to the page.