CODEWITHSUNDEEP
spring-security
mkoryak
mkoryak

Reputation: 57968

changing spring security logout-success-url programmatically

I need to redirect the user to 2 different logout urls based on his role. How do i go about doing this?

i am using spring security 2.0 and my xml looks something like this:

    <s:http access-denied-page="/" >
        <s:intercept-url pattern="/pages/SplashPage.jsf" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
        <s:intercept-url pattern="/pages/Home.jsf" access="ROLE_USER,ROLE_MERCHANT"/>

        <s:anonymous/>
        <s:form-login
            login-page="/"
            login-processing-url="/j_spring_security_check"
            default-target-url="/pages/Home.jsf"
            authentication-failure-url="/" always-use-default-target='false' />
        <s:logout invalidate-session="true" logout-url="/pages/logout.jsf" logout-success-url="/" />
        <s:concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="false"/>
    </s:http>

Upvotes: 5

Views: 4828

Answers (2)

sourcedelica
sourcedelica

Reputation: 24047

EDIT - updated to a Spring Security 2.0 solution.

Replace the LogoutFilter with your a subclass the overrides doFilterHttp:

public void doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException,
        ServletException {

    if (requiresLogout(request, response)) {
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();

        if (logger.isDebugEnabled()) {
            logger.debug("Logging out user '" + auth + "' and redirecting to logout page");
        }

        for (int i = 0; i < handlers.length; i++) {
            handlers[i].logout(request, response, auth);
        }

        // Do role-specific logic here to determine targetUrl

        sendRedirect(request, response, targetUrl);

        return;
    }

    chain.doFilter(request, response);
}

Replace the LogoutFilter as follows:

<beans:bean id="myLogoutFilter" class="com.mycompany.MyLogoutFilter">
  <custom-filter position="LOGOUT_FILTER"/>
</beans:bean>

Upvotes: 0

mkoryak
mkoryak

Reputation: 57968

I couldnt find any right way to do this, so i ended up with a hack:

  1. dont invalidate-session
  2. change the logout-success-url to special redirect controller
  3. in that controller, pull the user session to tell the user type
  4. invalidate the session
  5. redirect to proper url for the usertype

Upvotes: 2

Related Questions