Results 1 to 7 of 7

Thread: What is j_spring_security_logout?

  1. Dec 4th, 2008, 03:34 PM #1
    jwy923
    jwy923 is offline Junior Member
    Join Date
    Oct 2008
    Posts
    8

    Default What is j_spring_security_logout?

    I am a beginner of Spring Security.

    Could someone explain what is "j_spring_security_logout"?

    I am trying to implement OpenID.

    I downloaded "spring-security-samples-openid-2.0.4.war" and ran the example.

    However, logout does not work.

    When I reviewed a jsp file, the logout link refers to j_spring_security_logout, but I don't know what it is.

    Please help me understand it.

    Thanks in advance.

    John
  2. Dec 5th, 2008, 01:32 AM #2
    Andrei Tsibets
    Andrei Tsibets is offline Senior Member
    Join Date
    Jun 2007
    Location
    Minsk, Belarus
    Posts
    217

    Default

    '/j_spring_security_logout' of LogoutFilter is similar to '/j_spring_security_check' of AuthenticationProcessingFilter but for logout.

    E.g. LogoutFilter will process logout when client request /j_spring_security_logout url. LogoutFilter delegates work to list of LogoutHandler, one of which does session invalidation (SecurityContextLogoutHandler)
  3. Dec 7th, 2008, 03:52 PM #3
    jwy923
    jwy923 is offline Junior Member
    Join Date
    Oct 2008
    Posts
    8

    Default

    Could you help me find where the source code for "j_spring_security_logout"?
    Is it a servlet? a macro? or what? I want to know where (which jar file) it is located in, and how it is written in detail.

    Thanks in advance. and please understand my lack of knowledge.

    John
  4. Dec 7th, 2008, 03:54 PM #4
    Luke Taylor
    Luke Taylor is offline Senior Member Acegi Security System TeamSpring Team
    Join Date
    Aug 2004
    Location
    Glasgow, Scotland
    Posts
    3,449

    Default

    http://static.springframework.org/sp...outFilter.html
  5. Dec 8th, 2008, 08:34 AM #5
    jwy923
    jwy923 is offline Junior Member
    Join Date
    Oct 2008
    Posts
    8

    Default

    Does somebody test this j_spring_security_logout for OpenID?

    It seems to work in other samples in the repository, but it(logout) does not in the OpenID sample (http://repo1.maven.org/maven2/org/sp...amples-openid/).

    The problem is that although I used j_spring_security_logout, I can still access to the secured web pages.
    When I access to the secured web pages in a new session, my access is filtered and redirected to a log-in page, so I need to do authentication processes (OpenID authentication), which is the normal situation.
    Once logged-in and then logged-out, I can access to the secured web pages without authentication, which is not the normal situation.

    Could you help me?
  6. Dec 8th, 2008, 10:43 AM #6
    Luke Taylor
    Luke Taylor is offline Senior Member Acegi Security System TeamSpring Team
    Join Date
    Aug 2004
    Location
    Glasgow, Scotland
    Posts
    3,449

    Default

    OpenID is a single-sign-on solution. So even if you log out of the application you will still be allowed back in while you are authenticated to OpenID.
  7. Dec 8th, 2008, 02:17 PM #7
    jwy923
    jwy923 is offline Junior Member
    Join Date
    Oct 2008
    Posts
    8

    Default

    Luke,

    Is there any way to change configuration, so that I can force a complete logout after clicking the logout button in OpenID?

    I think it is not secure that when I leave a public computer after "explicitly" logging out from an OpenID secured web page, somebody can access to the page.

    John
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules