We have seen how to configure login behavior for our application. How to let Spring manage authentication, session creation, authorization etc.The logical end to the flow would be to logout. A normal logout would involve releasing any resources, destroying sessions etc - and a logout page.
But with all our cookie lifecycle and session management being performed by Spring, it would be easy to let Spring manage the logout flow too.
Accordingly I created a simple signout page and named it "out.html"
The next step would be to tell Spring that on logout, my new HTML page should be displayed.
Well you could put a sign out link on your page yes, but what should the URL be ? This is the logout fragment:
But with all our cookie lifecycle and session management being performed by Spring, it would be easy to let Spring manage the logout flow too.
Accordingly I created a simple signout page and named it "out.html"
The next step would be to tell Spring that on logout, my new HTML page should be displayed.
<http>We have specified here that when the logout action completes, the user should be redirected to out.html. But how do we initiate logout ?
<intercept-url pattern="/dynamic/**" access="ROLE_USER"/>
<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<form-login/>
<logout logout-success-url="/out.html"/>
</http>
Well you could put a sign out link on your page yes, but what should the URL be ? This is the logout fragment:
<p>This action will evaluate to spring security's Logout Handler:
<ahref="${pageContext.request.contextPath}/j_spring_security_logout">Logout</a>
<p>
DEBUG SecurityContextLogoutHandler:62 - Invalidating session: 7F9505354369CE038BBA97918DC0518EAs seen, Spring invalidated the HTTP Session. It then redirected the flow to the logout page specified. If we had remember-me option enabled than that cookie would also be removed. We can also have other cookies removed.
...
DEBUG SimpleUrlLogoutSuccessHandler:107 - Using default URL: /out.html
DEBUG DefaultRedirectStrategy:36 - Redirecting to '/FormLogin/out.html'
DEBUG HttpSessionSecurityContextRepository:127 - No HttpSession currently exists
<logout logout-success-url="/out.html"delete-cookies="JSESSIONID"The delete-Cookies attribute can be used to do the same. For multiple cookies provided a comma separated list. Also if we want a custom logout url than we can specify one here. It will replace the 'j_spring_security_logout' url.
logout-url="/logout"invalidate-session="true"/>
