spring security logout causes NullPointerException
I've been trying to understand spring-security for some time, and I've gotten around with most of the things except for the logout
aspect. Going through other questions on SO, i felt most of them were facing problems related to the session not terminating.
I, on the other hand, am facing quite a different sort of trouble. My security XML file is configured as follows:
<http path-type="ant" auto-config="false" use-expressions="true"
access-denied-page="/?login_error=2">
<intercept-url pattern="/web/open/**" access="permitAll" />
<intercept-url pattern="/web/**" access="isAuthenticated()" />
<form-login login-processing-url="/static/j_spring_security_check"
default-target-url="/web/base/view" always-use-default-target="true"
login-page="/" authentication-failure-url="/?login_error=1" />
<logout logout-url="/static/j_spring_security_logout"
invalidate-session="true" logout-success-url="/" />
</http>
In my web.xml
i've mapped the login controller
to the context root [using the welcome-file
list], and also have the required springSecurityFilterChain
setup. Now the login operations run perfectly. The target JSP has a logout link as:
&l开发者_开发技巧t;a href="<c:url value="/static/j_spring_security_logout"/>">Logout</a>
However, whenever i click on the logout link, I get a ghastly NullPointerException
. Can anyone let me know if there's some glaring mistake I'm making here?
Exception stack:
java.lang.NullPointerException
at java.util.Hashtable.get(Hashtable.java:334)
at org.apache.tomcat.util.http.Parameters.getParameterValues(Parameters.java:116)
at org.apache.tomcat.util.http.Parameters.getParameter(Parameters.java:127)
at org.apache.catalina.connector.Request.getParameter(Request.java:1133)
at org.apache.catalina.connector.RequestFacade.getParameter(RequestFacade.java:384)
at javax.servlet.ServletRequestWrapper.getParameter(ServletRequestWrapper.java:140)
at org.springframework.security.web.authentication.AbstractAuthenticationTargetUrlRequestHandler.determineTargetUrl(AbstractAuthenticationTargetUrlRequestHandler.java:86)
at org.springframework.security.web.authentication.AbstractAuthenticationTargetUrlRequestHandler.handle(AbstractAuthenticationTargetUrlRequestHandler.java:67)
at org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler.onLogoutSuccess(SimpleUrlLogoutSuccessHandler.java:28)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:100)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:168)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
Thanks for taking the time.
The determineTargetUrl
method in AbstractAuthenticationTargetUrlRequestHandler
seems to fail on getting request parameters. For me it's usually fine to provide a defaultTargetUrl
and set alwaysUseDefaultTargetUrl
to true
which meens that determineTargetUrl
always returns the given URL and prevent URL determination magic.
I'd do this by registering my own LogoutSuccessHandler
implementation like:
<logout
logout-url="/static/j_spring_security_logout"
invalidate-session="true"
success-handler-ref="myLogoutSuccessHandler" />
instead of logout-success-url
.
A LogoutSuccessHandler
can look as simple as:
public class MyLogoutSuccessHandler extends AbstractAuthenticationTargetUrlRequestHandler implements LogoutSuccessHandler {
@Override
public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication throws IOException, ServletException {
// maybe do some other things ...
super.handle(request, response, authentication);
}
}
Set your logout URL as defaultTargetUrl
in your security context when defining the bean for the custom LogoutSuccessHandler
:
<bean id="myLogoutSuccessHandler" class="foobar.impl.MyLogoutSuccessHandler">
<property name="defaultTargetUrl" value="/" />
<property name="alwaysUseDefaultTargetUrl" value="true" />
</bean>
精彩评论