I retrofitted my GWT/GXT application with basic LDAP Authorization using basic HTTP authentication. It works well when I start new browser – I get the prompt and get authorized against corporate LDAP. My problem – I can’t logout unless I close/reopen the browser. I can debug and see how SecurityContextLogoutHandler#logout is called and the following code is executed
if (invalidateHttpSession) {
HttpSession session = request.getSession(false);
if (session != null) {
session.invalidate();
}
}
SecurityContextHolder.clearContext();
However it seemingly has no effect as site is reloaded and I never get another HTTP auth prompt unless I restart the browser (even clearing the cache/cookies won’t help). Here’s relevant portion of applicationContext.xml
<security:http auto-config='true'>
<security:intercept-url pattern="/reports/**" access="ROLE_USER" />
<security:http-basic />
<security:logout logout-url="/reports/logout"
logout-success-url="/reports/Application.html" />
</security:http>
I tried to define custom LogoutSuccessHandler and do authentication.setAuthenticated(false); but that also has no effect
Anything here I’m missing here? Your help will be much appreciated
OK. after spending way too much time with this I think I have the answer. It’s simple – one cannot bail out of basic HTTP authentication using server-side technology. Basically authorization string is base-64 decoded in the HTTP header and when protected page is loaded to the browser the security token gets repopulated so no matter how often you erase it on the server it gets resurrected every time the page is called. I suppose it is possible to play some clever tricks on the browser side but that would be brittle and unreliable
For my case I will be switching to form-based authentication which gives much better control over login/logout process anyways.
I will hold on accepting my own answer in favor someone coming out with acceptable solution