Spring Security Logout Example

Spring Security provides Logout Handling Service for logging out by navigating to a particular URL (by default /j_spring_security_logout). LogoutFilter starts processing when a request comes for /j_spring_security_logout url and delegates to LogoutHandler(s) to perform the actual logout functionality like clearing security context, invalidating session, etc. Based on logout configuration, a redirect will be performed to the URL logout-success-url after logout.

In this example, we'll integrate Spring Logout handling mechanism in Spring Security 3 Hello World Example to demonstrate logout functionality.

Tools and Technologies used in this article

  1. Spring Framework 3.1.4
  2. Spring Security 3.1.4
  3. Spring Tool Suite 3.2
  4. JDK 1.6
  5. Tomcat 7

1. Import 'Spring Security 3 Hello World Example' project

Download and import code of my previous post on Spring Security 3 Hello World Example

2. Add Logout configuration

Set logout-success-url attribute to /logoutSuccess.jsp. After logout user will be redirected to this page.

<beans:beans xmlns="http://www.springframework.org/schema/security"
  xmlns:beans="http://www.springframework.org/schema/beans"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://www.springframework.org/schema/beans
          http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
          http://www.springframework.org/schema/security
          http://www.springframework.org/schema/security/spring-security-3.1.xsd">
           
    <http auto-config='true'>
      <intercept-url pattern="/secured/*" access="ROLE_USER" />
      <logout logout-success-url="/logoutSuccess.jsp"/>
    </http>
       
    <authentication-manager>
      <authentication-provider>
        <user-service>
          <user name="srccodes" password="password" authorities="ROLE_USER" />
        </user-service>
      </authentication-provider>
    </authentication-manager>   
           
</beans:beans>

If you want to use custom logout url (say /logout) instead of default one (/j_spring_security_logout), then use logout-url attribute as shown below.

<logout logout-url="/logout" logout-success-url="/logoutSuccess.jsp"/>

3. Add Logout success page

Add following logoutSuccess.jsp under webapp directory.
File: /logoutSuccess.jsp

<html>
<title>Logged out</title>
<body>
<h2>You have been logged out successfully.</h2>
</body>
</html>

4. Add Logout url

Add custom logout url /logout in mypage.jsp
File: WEB-INF/pages/secured/mypage.jsp

<html>
<title>My Secured Page</title>
<body>
<h2>Hello World!</h2>
<h4>${message}</h4>
<br/>
<a href="/SpringSecurityHelloWorld/logout">Logout</a>
</body>
</html>

5. Overall Project Structure

6. Demo

Start the server and deploy the web application. Open the url http://:/SpringSecurityHelloWorld/secured/mypage. We'll be redirected to login page. Using correct username (srccodes) and password (password) we'll be able to view the content of the secured page having our custom logout url.

On clicking 'Logout' link, Spring security will perform logout functionality and redirect us to logout-success-url as configured.

To recheck, try to open http://:/SpringSecurityHelloWorld/secured/mypage, we'll be again redirected to login page. This means, we have been properly logged out from the application.

Download SrcCodes

All code samples shown in this post are available on GitHub

References