Home/ Questions/Q 8243937
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-07T21:40:50+00:00

I am developing an application using the Spring Security (3.1) and I encoutered the

  • 0

I am developing an application using the Spring Security (3.1) and I encoutered the following problem. When user logs out, I want to redirect to some custom URL depending if he logs out from a secure page or not. I wrote a custom LogoutHandler, that looks as follow:

@Override
public void onLogoutSuccess(HttpServletRequest request,
        HttpServletResponse response, Authentication authentication)
        throws IOException, ServletException {


    String refererUrl = request.getHeader("Referer");
    if (requiredAuthentication(refererUrl, authentication)) {
        response.sendRedirect(request.getContextPath());
    } else {
        response.sendRedirect(refererUrl);
    }
}

private boolean requiredAuthentication(String url, Authentication authentication){
    return !getPrivilegeEvaluator().isAllowed(url, authentication);
}

So, when the user is logging out from the non-secure page he is logged out and redirected to the same URL, and if he is logging ouf from secure page, he goes to index page.
The problem is, that Authentication object that comes to the method is always authenticated (even though, the method is called AFTER loggin out the user, acording to the specification).
My security context:

<http use-expressions="true" disable-url-rewriting="true" request-matcher-ref="requestMatcher" >


    <intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" requires-channel="https" />
    <intercept-url pattern="/dashboard/**" access="hasRole('ROLE_OWNER')" requires-channel="https" />
    <intercept-url pattern="/**" access="permitAll"/>

    <form-login login-page="/login"
                authentication-success-handler-ref="successHandler"
                authentication-failure-url="/login"
                login-processing-url="/validate"  />

    <logout logout-url="/logout" invalidate-session="true" success-handler-ref="logoutSuccessHandler" />

    <remember-me services-ref="rememberMeServices" key="KEY"  use-secure-cookie="false" />

    <session-management session-fixation-protection="migrateSession">
        <concurrency-control max-sessions="1" />
    </session-management>

</http>

Do you have any idea, why received Authentication is still valid, when gettig to the logoutSuccessHandler? I can’t edit this object, because it’s fields are final (except the isAuthenticated, but it’s not checked by isAllowed() method..)

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Looking at Spring Security source code, the LogoutFilter gets the Authentication object from the SecurityContextHolder, keeps it on a local variable, and removes it from the holder, via SecurityContextLogoutHandler. After all LogoutHandlers are called, it calls your LogoutSuccessHandler, and passes the Authentication object.

    Even that it says it is valid, it is not anymore in the SecurityContextHolder, so for Spring, the user is logged out.

    • 0