In spring security version 3.0.6, which fixed a CRLF logout exploit (https://jira.springsource.org/browse/SEC-1790) they disabled the use of the 'spring-security-redirect' parameter.
Default support for the redirect parameter in logout URLs has also been removed in 3.0.6. In 3.1 it already needs to be enabled explicitly.
Is there a way to turn the redirect parameter back on, so that I can dynamically redirect in my Grails Spring Security Logout Controller?
LogoutContoller.groovy
def user = springSecurityService.currentUser
if (params.redirect) {
// this needs to log the user out and then redirect, so don't redirect until we log the user out here
log.info "Redirecting " + springSecurityService.currentUser.username + " to " + params.redirect
// the successHandler.targetUrlParameter is spring-security-redirect, which should redirect after successfully logging the user out
redirect uri: SpringSecurityUtils.securityConfig.logout.filterProcessesUrl + "?spring-security-redirect="+params.redirect
return;
}
redirect uri: SpringSecurityUtils.securityConfig.logout.filterProcessesUrl // '/j_spring_security_logout'
The following no longer works for versions of spring security 3.0.6+
You can logout programmatically and do manual redirect in a action of controller:
// Bean where Spring Security store logout handlers
def logoutHandlers
// logout action
def logout = {
// Logout programmatically
Authentication auth = SecurityContextHolder.context.authentication
if (auth) {
logoutHandlers.each { handler->
handler.logout(request,response,auth)
}
}
redirect uri:params.redirect
}