How to invalidate a spring security session?

almost 9 years ago

0
3
Positive Vote
0
Negative Vote
2
Save Favourite
0
0
0
0
14.5k

Comment on it

To invalidate spring security session you need to follow below steps:

1. Add Logout configuration in your applicationContext-security.xml file

Set logout-success-url attribute to /login.jsp. After logout user will be redirected to this page.

<beans:beans xmlns="http://www.springframework.org/schema/security"
  xmlns:beans="http://www.springframework.org/schema/beans"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://www.springframework.org/schema/beans
          http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
          http://www.springframework.org/schema/security
          http://www.springframework.org/schema/security/spring-security-3.1.xsd">

       <http entry-point-ref="authenticationProcessingFilterEntryPoint">
        <intercept-url pattern="/secure/**" access="IS_AUTHENTICATED_REMEMBERED" />
        <logout logout-success-url="/login.jsp" />
    </http>


        <beans:bean id="authenticationProcessingFilterEntryPoint" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
        <beans:property name="loginFormUrl" value="/login.jsp" />
        <beans:property name="forceHttps" value="false"/>
    </beans:bean>


    <beans:bean id="authenticationProcessingFilter" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
        <custom-filter position="AUTHENTICATION_PROCESSING_FILTER "/>
        <beans:property name="authenticationManager" ref="authenticationManager" />
        <beans:property name="filterProcessesUrl">
            <beans:value>/j_spring_security_check</beans:value>
        </beans:property>
    </beans:bean>

        <authentication-manager>
          <authentication-provider>
            <user-service>
              <user name="srccodes" password="password" authorities="ROLE_USER" />
            </user-service>
          </authentication-provider>
        </authentication-manager>  

</beans:beans>

2. Now create a class and define the code as described below to invalidate session:

    public class SessionUtils {

        public static void logout(HttpServletRequest request) {

            SecurityContextHolder.getContext().setAuthentication(null);
            SecurityContextHolder.clearContext();

            HttpSession hs = request.getSession();
            Enumeration e = hs.getAttributeNames();
            while (e.hasMoreElements()) {
                String attr = e.nextElement();
                hs.setAttribute(attr, null);
            }

            removeCookies(request);
            hs.invalidate();
        }

        public static void removeCookies(HttpServletRequest request) {
            Cookie[] cookies = request.getCookies();
            if (cookies != null && cookies.length > 0) {
                for (int i = 0; i < cookies.length; i++) {
                    cookies[i].setMaxAge(0);
                }
            }
        }

    }

3. Now on click of your logout button call the below function:

SessionUtils.logout(request);

Hope this will help you :)

How to invalidate a spring security session?

0 Comment(s)

Comment on it

Unable to start Java!! Mr. Nerd figure out why..

Positive Votes

:)

:)

good

Negative Votes

Delete Comment

Post Projects

Manage Company