Issue
I would like to logout programatically using spring boot security in the line that I indicated with the arrow below in my home controller.
The things I tried: I was looking at this article and it is not clear to me how and when is /logout called? I do not want the user to logout with a button or going to a logout endpoint.
I also watched the YT video here but it again uses a form action for /logout. It uses the Logout URL and the Logout Success URL.
I could use the logoutSuccessHandler to clear the cookies but again I do not know how to call the logout programatically that would then invoke the logoutSuccesHandler.
@RequestMapping("/")
public String index(Principal principal) throws IsimConnectionException {
Authentication authentication = (Authentication) principal;
if ((authentication.getPrincipal() != null) && (authentication.isAuthenticated())) {
String shortname = (String)authentication.getPrincipal();
sessionScopedLdapUser.shortname(shortname);
if (isimConn.hasid()) {
**** ---> here I would like to logout and clear cookies
return "hasid";
} else {
return "needsLinking";
}
}
return "index";
}
Here is my websecurity config class:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private static final Logger log = LoggerFactory.getLogger(WebSecurityConfig.class);
@Autowired
private LdapAuthenticationProvider authProvider;
/**
* Defines the web based security configuration.
*
* @param http It allows configuring web based security for specific http requests.
* @throws Exception
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/css/**", "/js/**", "/images/**", "/sw.js").permitAll()
.anyRequest().fullyAuthenticated()
.and()
.formLogin()
.loginPage("/login") //custom login page
.permitAll() // permit everyone the /login page
.and()
.logout()
.permitAll()
.logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler(HttpStatus.OK));
}
/**
* Sets a custom authentication provider.
*
* @param auth SecurityBuilder used to create an AuthenticationManager.
* @throws Exception
*/
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authProvider);
}
}
Solution
public void logout(HttpServletRequest request, HttpServletResponse response) {
boolean isSecure = false;
String contextPath = null;
if (request != null) {
HttpSession session = request.getSession(false);
if (session != null) {
session.invalidate();
}
isSecure = request.isSecure();
contextPath = request.getContextPath();
}
SecurityContext context = SecurityContextHolder.getContext();
SecurityContextHolder.clearContext();
context.setAuthentication(null);
if (response != null) {
Cookie cookie = new Cookie("JSESSIONID", null);
String cookiePath = StringUtils.hasText(contextPath) ? contextPath : "/";
cookie.setPath(cookiePath);
cookie.setMaxAge(0);
cookie.setSecure(isSecure);
response.addCookie(cookie);
}
}
You can call the above method from anywhere to logout from Spring Security. You can pass null for request and response but then it will not invalidate http session and clear cookies in that case.
Answered By - shazin