Spring Security Logout does not work

Question

Spring Security Logout does not work

Navigation

#1 by (0 votes)

0

Hi, I'm using Spring Security 4 in my application and I have the following configuration for the Login

http.authorizeRequests()
     //.antMatchers("/cliente/**").access("hasAnyAuthority('OPERADOR')")
             //.antMatchers(HttpMethod.POST).access("hasAnyAuthority('OPERADOR')")
     .antMatchers("/cliente/**").access("isAuthenticated()")
             .antMatchers(HttpMethod.POST).access("isAuthenticated()")                
             .antMatchers("resources/**").permitAll()
             .antMatchers("*/css/**").permitAll()
             .antMatchers("*/fonts/**").permitAll()
             .antMatchers("*/img/**").permitAll()
             .antMatchers("*/js/**").permitAll()

     .and().formLogin()
                  .loginPage("/auth/login").permitAll()
                  .defaultSuccessUrl("/cliente/crear")
                  .successHandler(new LoginSucessHandler())


                  .failureUrl("/auth/login?error=true").and().exceptionHandling().accessDeniedPage("/auth/denied");

and for the logout I have the following

@RequestMapping(value = {"/logout"}, method = RequestMethod.GET)
public String logoutDo(HttpServletRequest request,HttpServletResponse response){
    Authentication auth = SecurityContextHolder.getContext().getAuthentication();
    if (auth != null){    
        HttpSession session= request.getSession(false);
        SecurityContextHolder.clearContext();
        //session= request.getSession(false);
        if(session != null) {
            session.invalidate();
        }
        for(Cookie cookie : request.getCookies()) {
            cookie.setMaxAge(0);
        }            
        //new SecurityContextLogoutHandler().logout(request, response, auth);
    }
    return "redirect:/auth/login";
}

I currently use the control number of sessions maxsession when I enter with a user who has a single session allowed, enter normal but then I close session and try again to enter I get the following message

maximum sessions of 1 for this principal exceeded

I have read in forums that the following is added

 <listener>
        <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
    </listener>

but I've already added it, followed the instructions of the following link but the problem keeps happening, I do not know what could be missing, I also have in the event of the logout in link of /auth/logout?${_csrf.parameterName}=${_csrf.token}" , some solution? Has the problem happened to you?

spring-security

asked by Luigi Marquez 12.09.2017 в 15:26

source

1 answer

Doubt about my javascript linked with html Problem with transation when using AddClass and RemoveClass

score 0 · Answer 1

I think the problem is that clearContext () does not do what you think it does, try:

@RequestMapping(value="/logout", method = RequestMethod.GET)
public String logoutPage (HttpServletRequest request, HttpServletResponse response) {
    Authentication auth = SecurityContextHolder.getContext().getAuthentication();
    if (auth != null){    
        new SecurityContextLogoutHandler().logout(request, response, auth);
    }
    return "redirect:/login?logout";// para redirigir a la pantalla de login
}