changing spring security logout-success-url programmatically
I need to redirect the user to 2 different logout urls based on his role. How do i go about doing this?
i am using spring security 2.0 and my xml looks something like this:
<s:http access-denied-page="/" >
<s:intercept-url pattern="/pages/SplashPage.jsf" access="IS_AUTHENT开发者_JAVA技巧ICATED_ANONYMOUSLY"/>
<s:intercept-url pattern="/pages/Home.jsf" access="ROLE_USER,ROLE_MERCHANT"/>
<s:anonymous/>
<s:form-login
login-page="/"
login-processing-url="/j_spring_security_check"
default-target-url="/pages/Home.jsf"
authentication-failure-url="/" always-use-default-target='false' />
<s:logout invalidate-session="true" logout-url="/pages/logout.jsf" logout-success-url="/" />
<s:concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="false"/>
</s:http>
I couldnt find any right way to do this, so i ended up with a hack:
- dont
invalidate-session - change the
logout-success-urlto special redirect controller - in that controller, pull the user session to tell the user type
- invalidate the session
- redirect to proper url for the usertype
EDIT - updated to a Spring Security 2.0 solution.
Replace the LogoutFilter with your a subclass the overrides doFilterHttp:
public void doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException,
ServletException {
if (requiresLogout(request, response)) {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (logger.isDebugEnabled()) {
logger.debug("Logging out user '" + auth + "' and redirecting to logout page");
}
for (int i = 0; i < handlers.length; i++) {
handlers[i].logout(request, response, auth);
}
// Do role-specific logic here to determine targetUrl
sendRedirect(request, response, targetUrl);
return;
}
chain.doFilter(request, response);
}
Replace the LogoutFilter as follows:
<beans:bean id="myLogoutFilter" class="com.mycompany.MyLogoutFilter">
<custom-filter position="LOGOUT_FILTER"/>
</beans:bean>
加载中,请稍侯......
精彩评论