spring security customize logout handler

How can开发者_高级运维 I add my own logout handler to LogoutFilter in spring-security ? Thanks!

The following solution works for me and may be helpful:

1. Extend the SimpleUrlLogoutSuccessHandler or implement the LogoutHandler:

   public class LogoutSuccessHandler extends SimpleUrlLogoutSuccessHandler {
   
      // Just for setting the default target URL
      public LogoutSuccessHandler(String defaultTargetURL) {
           this.setDefaultTargetUrl(defaultTargetURL);
      }
   
      @Override
      public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
   
           // do whatever you want
           super.onLogoutSuccess(request, response, authentication);
      }
   }
   

2. Add to your Spring Security Configuration:

   <security:logout logout-url="/logout" success-handler-ref="logoutSuccessHandler" />
   <bean id="logoutSuccessHandler" class="your.package.name.LogoutSuccessHandler" >
       <constructor-arg value="/putInYourDefaultTargetURLhere" />
   </bean>
   

See the answer in this post in the Spring Security Forum:

XML Definition:

<beans:bean id="logoutFilter" class="org.springframework.security.ui.logout.LogoutFilter">
    <custom-filter position="LOGOUT_FILTER"/>
    <beans:constructor-arg index="0" value="/logout.jsp"/>
    <beans:constructor-arg index="1">
        <beans:list>
            <beans:ref bean="securityContextLogoutHandler"/>
            <beans:ref bean="myLogoutHandler"/>
        </beans:list>
    </beans:constructor-arg>
</beans:bean>

<beans:bean id="securityContextLogoutHandler" class="org.springframework.security.ui.logout.SecurityContextLogoutHandler"/>

<beans:bean id="myLogoutHandler" class="com.whatever.CustomLogoutHandler">
    <beans:property name="userCache" ref="userCache"/>
</beans:bean>

LogoutHandler class:

public class CustomLogoutHandler implements LogoutHandler {
    private UserCache userCache;

    public void logout(final HttpServletRequest request, final HttpServletResponse response, final Authentication authentication) {
        // ....
    }

    @Required
    public void setUserCache(final UserCache userCache) {
        this.userCache = userCache;
    }
}

You can use java-config solutions like this.

@Configuration
@EnableWebSecurity

public class SpringSecurity2Config extends WebSecurityConfigurerAdapter {


    @Override
    protected void configure(HttpSecurity http) throws Exception {
       //you can set other security config by call http.XXX()

        http
                .logout()
                .addLogoutHandler(new CustomLogoutHandler())
                .logoutUrl("/logout")
                .logoutSuccessHandler(...)
                .permitAll();

    }

    static class CustomLogoutHandler implements LogoutHandler {
        @Override
        public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
            //...

        }

    }

}

You should use success-handler-ref attribute of <logout> element:

<security:logout invalidate-session="true"
          success-handler-ref="myLogoutHandler"
          logout-url="/logout" />

As alternative solution you can configure your own filter on the logout URL.