Spring Security Logout

1. Overview

This article is building on top of our Form Login tutorial and is going to focus on the how to configure Logout with Spring Security.

2. Basic Configuration

The basic configuration of Spring Logout functionality using the security namespace support is simple enough:

<http>

    ...    
    <logout/>

</http>

The element enables the default logout mechanism – which is configured to use the following logout url: j_spring_security_logout.

3. The JSP and the Logout Link

Continuing this simple example, the way to provide a logout link in the web application is:

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
   <head></head>
   <body>
      <a href="<c:url value="/j_spring_security_logout" />">Logout</a>
   </body>
</html>

4. Advanced Customizations

4.1. logout-succcess-url

After the logout process is performed successfully, Spring Security will redirect the user to a specified page. By default, this is the root page (“/”) but this is configurable in the namespace:

<logout logout-success-url="/afterlogout.html" />

Depending on the application, a good practice is to redirect the user back to the login page:

<logout logout-success-url="/login.html" />

4.2. logout-url

Similar to other defaults in Spring Security, the URL that actually triggers the logout mechanism has a default as well – /j_spring_security_logout.

It is however a good idea to change this default value, to make sure that no information is published about what framework is used to secure the application:

<logout 
    logout-success-url="/anonymous.html" 
    logout-url="/perform_logout" />

4.3. invalidate-session and delete-cookie

These two advanced attributes control the session invalidation as well as a list of cookies to be deleted when the user logs out. As such, invalidate-session allows the session to be set up so that it’s not invalidated when logout occurs (it’s true by default).

The delete-cookie attribute is simple as well:

<logout 
    logout-success-url="/anonymous.html" 
    logout-url="/perform_logout"
    delete-cookies="JSESSIONID" />

4.4. success-handler-ref

For more advanced scenarios, where the namespace is not flexible enough, the LogoutSuccessHandler bean from the Spring Context can be replaced by a custom reference:

<logout 
    logout-url="/perform_logout"
    delete-cookies="JSESSIONID"
    success-handler-ref="customLogoutSuccessHandler" />

...
<beans:bean name="customUrlLogoutSuccessHandler" />

Any custom application logic that needs to run when the user successfully logs out can be implemented with custom logout success handler. For example – a simple audit mechanism keeping track of the last page the user was on when they triggered logout:

public class CustomLogoutSuccessHandler extends 
  SimpleUrlLogoutSuccessHandler implements LogoutSuccessHandler {

    @Autowired 
    private AuditService auditService; 

    @Override
    public void onLogoutSuccess
      (HttpServletRequest request, HttpServletResponse response, Authentication authentication) 
      throws IOException, ServletException {
        String refererUrl = request.getHeader("Referer");
        auditService.track("Logout from: " + refererUrl);

        super.onLogoutSuccess(request, response, authentication);
    }
}

Also, keep in mind that this custom bean has the responsibility to determine the destination to which the user is directed after logging out. Because of this, pairing the success-handler-ref attribute with logout-success-url is not going to work, as both cover similar functionality; the end result would be:

org.springframework.beans.factory.parsing.BeanDefinitionParsingException: 
Configuration problem: Use logout-success-url or success-handler-ref, but not both

5. Conclusion

In this example we started by setting up a simple logout sample with Spring Security, and we then discussed the more advanced options available on the namespace element.

The implementation of this Spring Logout Tutorial can be found in the github project – this is an Eclipse based project, so it should be easy to import and run as it is.

When the project runs locally, the sample html can be accessed at:

http://localhost:8080/spring-security-login/login.html

I usually post about Security on Google+ - you can follow me there:

GET THE 3 EBOOKS >>
Download the 3 eBooks: "Rest with Spring", "Persistence with Spring" and "Learn HttpClient"
×
Build Your Web App with Spring (and quickly prototype it to 90%)

,