Join the social network of Tech Nerds, increase skill rank, get work, manage projects...
 

  • How to invalidate a spring security session?

    @babita.dhami
    Recommendations Offline Message

    • 0
    • 3
    • 0
    • 2
    • 0
    • 0
    • 0
    • 0
    • 11.3k
    Comment on it

    To invalidate spring security session you need to follow below steps:

      1. Add Logout configuration in your applicationContext-security.xml file

    Set logout-success-url attribute to /login.jsp. After logout user will be redirected to this page.

    <beans:beans xmlns="http://www.springframework.org/schema/security"
  xmlns:beans="http://www.springframework.org/schema/beans"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://www.springframework.org/schema/beans
          http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
          http://www.springframework.org/schema/security
          http://www.springframework.org/schema/security/spring-security-3.1.xsd">

       <http entry-point-ref="authenticationProcessingFilterEntryPoint">
        <intercept-url pattern="/secure/**" access="IS_AUTHENTICATED_REMEMBERED" />
        <logout logout-success-url="/login.jsp" />
    </http>


        <beans:bean id="authenticationProcessingFilterEntryPoint" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
        <beans:property name="loginFormUrl" value="/login.jsp" />
        <beans:property name="forceHttps" value="false"/>
    </beans:bean>


    <beans:bean id="authenticationProcessingFilter" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
        <custom-filter position="AUTHENTICATION_PROCESSING_FILTER "/>
        <beans:property name="authenticationManager" ref="authenticationManager" />
        <beans:property name="filterProcessesUrl">
            <beans:value>/j_spring_security_check</beans:value>
        </beans:property>
    </beans:bean>

        <authentication-manager>
          <authentication-provider>
            <user-service>
              <user name="srccodes" password="password" authorities="ROLE_USER" />
            </user-service>
          </authentication-provider>
        </authentication-manager>  

</beans:beans>
      2. Now create a class and define the code as described below to invalidate session:
        public class SessionUtils {

        public static void logout(HttpServletRequest request) {

            SecurityContextHolder.getContext().setAuthentication(null);
            SecurityContextHolder.clearContext();

            HttpSession hs = request.getSession();
            Enumeration e = hs.getAttributeNames();
            while (e.hasMoreElements()) {
                String attr = e.nextElement();
                hs.setAttribute(attr, null);
            }

            removeCookies(request);
            hs.invalidate();
        }

        public static void removeCookies(HttpServletRequest request) {
            Cookie[] cookies = request.getCookies();
            if (cookies != null && cookies.length > 0) {
                for (int i = 0; i < cookies.length; i++) {
                    cookies[i].setMaxAge(0);
                }
            }
        }

    }
      3. Now on click of your logout button call the below function:
    SessionUtils.logout(request);

    Hope this will help you :)

    Java Spring Security invalidate session logout in Spring Security
    Comment on it

 0 Comment(s)

Sign In
Forgot Password?
                           OR                           
Create an account !!
                           OR                           
Register

Sign up using

                           OR                           
Forgot Password
Fill out the form below and instructions to reset your password will be emailed to you:
Reset Password
Fill out the form below and reset your password: