Search code examples
spring-securitylogout

Spring Security 3 Logout not working

I am new to spring security. I have created an example in spring security 3.

I am facing a problem. I am able to login successfully with the default login page, but when I logout, I am successfully redirected to my loggedout.jsp but when check with altering URL I see that I am still logged in.

The Spring security.xml:

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <http pattern="/loggedout.jsp" security="none" />

    <http auto-config='true'>
        <intercept-url pattern="/**" access="ROLE_USER" />
        <logout logout-success-url="/loggedout.jsp" invalidate-session="true"
            delete-cookies="JSESSIONID" />

        <!-- <remember-me key="myAppKey" /> -->
        <!-- <session-management invalid-session-url="/timeout.jsp">
            <concurrency-control max-sessions="1"
                error-if-maximum-exceeded="true" />
        </session-management> -->
    </http>

    <authentication-manager>
        <authentication-provider>
            <user-service>
                <user name="vrajesh" password="vrajesh"
                    authorities="ROLE_USER,ROLE_ADMIN" />
                <user name="test" password="test"
                    authorities="ROLE_USER,ROLE_ADMIN" />
            </user-service>
        </authentication-provider>
    </authentication-manager>

    <!--
        <http pattern="/loggedout.jsp" security="none"/>
        <http use-expressions="true">
            <intercept-url pattern="/**" access="ROLE_USER" />
            <form-login />
            <logout logout-success-url="/loggedout.jsp"
                delete-cookies="JSESSIONID"/>
            <remember-me />
            <session-management invalid-session-url="/timeout.jsp">
                <concurrency-control max-sessions="1"
                    error-if-maximum-exceeded="true" />
            </session-management>
        </http>
    -->

</beans:beans>

This is my logout link on every page:

<p><a href="j_spring_security_logout">Logout</a></p>

and this is my loggedout.jsp:

<p>
You have been logged out. <a href="<c:url value='/'/>">Start again</a>.
</p>

In my loggedout.jsp, if I click on the 'Start again' link it should display login page, but it does not. Instead I am logged in the application.

Please help me and let me know if I am missing anything.

Solution

  • I had problem when referencing j_spring_security_logout, so I did this:

    1.- In spring-security.xml added to section:

    <logout logout-url="/logout.html"/>

    2.- In my controller I just have:

    @RequestMapping(value = "logout.html", method = RequestMethod.GET)
    public String logout(ModelMap model, HttpServletRequest request) {
        return "loginform";
    }

    3.- In my .jsp:

     <a href="${pageContext.request.contextPath}/logout.html"><fmt:message key="text.exit" /></a>

    And it works flawlessly :)

    You can check additional logout configurations here.