Join the social network of Tech Nerds, increase skill rank, get work, manage projects...
 
  • How to invalidate a spring security session?

    • 0
    • 3
    • 0
    • 2
    • 0
    • 0
    • 0
    • 0
    • 14.6k
    Comment on it

    To invalidate spring security session you need to follow below steps:

      1. Add Logout configuration in your applicationContext-security.xml file

    Set logout-success-url attribute to /login.jsp. After logout user will be redirected to this page.

    <beans:beans xmlns="http://www.springframework.org/schema/security"
      xmlns:beans="http://www.springframework.org/schema/beans"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://www.springframework.org/schema/beans
              http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
              http://www.springframework.org/schema/security
              http://www.springframework.org/schema/security/spring-security-3.1.xsd">
    
           <http entry-point-ref="authenticationProcessingFilterEntryPoint">
            <intercept-url pattern="/secure/**" access="IS_AUTHENTICATED_REMEMBERED" />
            <logout logout-success-url="/login.jsp" />
        </http>
    
    
            <beans:bean id="authenticationProcessingFilterEntryPoint" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
            <beans:property name="loginFormUrl" value="/login.jsp" />
            <beans:property name="forceHttps" value="false"/>
        </beans:bean>
    
    
        <beans:bean id="authenticationProcessingFilter" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
            <custom-filter position="AUTHENTICATION_PROCESSING_FILTER "/>
            <beans:property name="authenticationManager" ref="authenticationManager" />
            <beans:property name="filterProcessesUrl">
                <beans:value>/j_spring_security_check</beans:value>
            </beans:property>
        </beans:bean>
    
            <authentication-manager>
              <authentication-provider>
                <user-service>
                  <user name="srccodes" password="password" authorities="ROLE_USER" />
                </user-service>
              </authentication-provider>
            </authentication-manager>  
    
    </beans:beans>
    
      2. Now create a class and define the code as described below to invalidate session:
        public class SessionUtils {
    
            public static void logout(HttpServletRequest request) {
    
                SecurityContextHolder.getContext().setAuthentication(null);
                SecurityContextHolder.clearContext();
    
                HttpSession hs = request.getSession();
                Enumeration e = hs.getAttributeNames();
                while (e.hasMoreElements()) {
                    String attr = e.nextElement();
                    hs.setAttribute(attr, null);
                }
    
                removeCookies(request);
                hs.invalidate();
            }
    
            public static void removeCookies(HttpServletRequest request) {
                Cookie[] cookies = request.getCookies();
                if (cookies != null && cookies.length > 0) {
                    for (int i = 0; i < cookies.length; i++) {
                        cookies[i].setMaxAge(0);
                    }
                }
            }
    
        }
      3. Now on click of your logout button call the below function:
    SessionUtils.logout(request);

    Hope this will help you :)

 0 Comment(s)

Sign In
                           OR                           
                           OR                           
Register

Sign up using

                           OR                           
Forgot Password
Fill out the form below and instructions to reset your password will be emailed to you:
Reset Password
Fill out the form below and reset your password: