logout leaves protected resource accessible
Hi,
I am trying to set up a simple j_spring_security_logout example, and am running into the following problem:
When I enter a url of a protected resource into the browser, I am redirected to the login page as expected. But after logging out, if enter that same url of the same protected resource into the same browser window again, I am not redirected to a login page, but instead am taken directly to that resource (even though im logged out). But I know the logout is somewhat working because if i try to access a different protected resource instead, I am redirected to the login page. Can anyone help me understand why this is happening? Shouldnt I have to log in again to access a protected resource after logging out?
Any help would be greatly appreciated as ive spent all night on this already ;(
Thank you!
Here is the code/steps to reproduce:
ProtectedOne.html:
ProtectedTwo.html:Code:... protected resource one <a href="j_spring_security_logout">logout</a> ...
Spring Security Config:Code:... protected resource two <a href="j_spring_security_logout">logout</a> ...
1) Type in /ProtectedOne.html in browser (you will be redirected to log in page)Code:... <http> <intercept-url pattern="/bye.html" filters='none'/> <intercept-url pattern="/home.html" filters='none'/> <intercept-url pattern="/**" access="ROLE_USER" /> <form-login /> <logout logout-success-url="/bye.html"/> </http> ...
2) Log in with user/pass that has ROLE_USER (you will be directed back to /ProtectedOne.html)
3) Click logout link (you will be directed to /bye.html)
4) Type in /ProtectedOne.html in browser again, notice it DOES NOT make you log, but takes you straight to /ProtectedOne.html
5) Type in /ProtectedTwo.html in broeser again, notice it DOES make you log in before taking you to /ProtectedTwo.html
