CODEWITHSUNDEEP
springspring-security
Robby
Robby

Reputation: 401

Spring security logout - add a message only when logout triggered from a logged in user

Lets say my logout URL is: app/logout. I need to show a message - "You are succesfully logged out" in logout page only when logout was triggred by clikcing the logout button.
The message should not be displayed if the user enters this URL directly. Any idea how to implement this?

Controller:

@RequestMapping(value ="/logout", method = RequestMethod.GET)
    public ModelAndView logout(HttpServletRequest request, HttpServletResponse response) {
            ModelAndView model = new ModelAndView();
       //some code here to distingish
            model.addObject("msg", "You are succesfully logged out!");
            model.setViewName("login");
        return model;
    }

Spring-Security.xml:

http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd">

<http auto-config="true" create-session="ifRequired" use-expressions="true">        
<intercept-url pattern="/logout" access="IS_AUTHENTICATED_REMEMBERED"/>
    <form-login 
        login-page="/login" 
        default-target-url="/home" 
        authentication-failure-url="/login?error" 
        username-parameter="username"
        password-parameter="password" />
    <logout logout-success-url="/logout" invalidate-session="true" delete-cookies="JSESSIONID"/>
    <!-- enable csrf protection -->
    <csrf/>
</http>

<authentication-manager>
    <authentication-provider>
        <user-service>
            <user name="mkyong" password="123456" authorities="ROLE_USER" />
        </user-service>
    </authentication-provider>
</authentication-manager>

Upvotes: 1

Views: 822

Answers (2)

Serge Ballesta
Serge Ballesta

Reputation: 149085

As it is for Spring Security, I think that the simplest way is to use spring security to restrict /logout to authenticated users.

Using the namespace it would be :

<intercept-url pattern="/logout" access="IS_AUTHENTICATED_REMEMBERED"/>

Using Java configuration, it would be :

protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
            .antMatchers("/logout").authenticated()
            ...
}

Upvotes: 1

kxyz
kxyz

Reputation: 842

Add @RequestParam(value = "foo", required = false) Boolean foo

Add this additional parameter to logout button, if foo exist and is true do your logic

Upvotes: 0

Related Questions