第三章 Enhancing the User Experience（Logout）

Understanding logout functionality

Adding a Log Out link to the site header

The signature URL for logging the user out is /j_spring_security_logout. Adding a logout link is really as simple as putting an anchor tag with the appropriate href in the header.jsp file:

<c:url value="/j_spring_security_logout" var="logoutUrl"/>
<li><a href="${logoutUrl}">Log Out</a></li>

How logout works

Remember that every request for a URL goes through the entire Spring Security filter chain, before being resolved to a servlet request. So, although the URL request for /j_spring_security_logout doesn't correspond to a JSP in our system, it doesn't have to be a real JSP or Spring MVC destination in order to be handled. These types of URLs are often referred to as virtual URLs.

The URL request for /j_spring_security_logout is intercepted by the o.s.s.web.authentication.logout.LogoutFilter. One of the many filters in the default Spring Security filter chain, the LogoutFilter looks for this particular virtual URL and takes action.

Let's quickly examine the configuration that the security namespace provides us with regards to default logout functionality:

<http auto-config="true" use-expressions="true">
<logout invalidate-session="true"
logout-success-url="/"
logout-url="/j_spring_security_logout"/>
</http>

This baseline configuration will look for the logout URL specified in the logout url attribute and log the user out. Logging the user out involves the following 3 steps:

1. Invalidating the HTTP session (if invalidate-session is set to true).
2. Clearing the SecurityContext (effectively logging the user out).
3. Redirecting to the URL specified in logout-success-url.




o.s.s.web.authentication.logout.LogoutHandler is an interface whose implementation classes can be invoked upon user logout by the LogoutFilter. It is possible (although complex) to implement your own LogoutHandler that will be tied into the LogoutFilter lifecycle. The default set of LogoutHandlers that are configured with the LogoutFilter are responsible for clearing the session and cleaning up the remember me feature so that the user's session is now operating with no remaining authentication associated. Finally, the redirection to a URL after logout is performed by a default implementation of the interface o.s.s.web. authentication.logout.LogoutSuccessHandler. This default implementation simply redirects to the success URL configured (the default is /), but can be updated to perform anything else that your application needs to be done after the user is logged out. It is important to note that logout handlers should not throw exceptions, as it's important for all of them to execute to avoid potential inconsistency in the user's secured session. Take care that exceptions are properly handled and logged when implementing your own logout handlers.

Changing the logout URL

Let's test overriding the default logout URL to provide a simple example of modifying the automatically configured behavior. We'll change the logout URL to /logout.

<http auto-config="true" use-expressions="true">
...
..<logout invalidate-session="true"
logout-success-url="/"
logout-url="/logout"/>
</http>

Restart the application and try it out! You'll observe that instead of /j_spring_ security_logout, the /logout URL will be used to log the user out. You may also notice that if you try /j_spring_security_logout, you'll get a Page not Found (404) error, because the URL doesn't correspond to an actual servlet resource and is no longer handled by a request filter.

Logout configuration directives