This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes Spring and the fly likes Spring Security - After logout able to access application through url Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Frameworks » Spring
Bookmark "Spring Security - After logout able to access application through url" Watch "Spring Security - After logout able to access application through url" New topic
Author

Spring Security - After logout able to access application through url

Muhammad Abdul Arif
Greenhorn

Joined: Feb 04, 2012
Posts: 25
Hi All,

In our application we are using Spring Security 3.0. The issue is after logging out from the application if i access the application by changing the url getting null pointer exception. This is happening only to those url's which iam not authenticating in Spring Security. Why am i allowed to access the Url after session expired? Spring should first check if session is valid then forward me to the request. Below are the filters i configured

Muhammad Abdul Arif
Greenhorn

Joined: Feb 04, 2012
Posts: 25
Its resolved...thanks....issue was with url mismatch
Mark Spritzler
ranger
Sheriff

Joined: Feb 05, 2001
Posts: 17249
    
    6

If you are using Spring Security 3.0 Why do you have all those Spring Security beans defined. That is about 300 lines of xml that you don't need. That you get with just <security:http> tag in the security namespace. Much shorter than 300 lines of xml.

Mark


Perfect World Programming, LLC - Two Laptop Bag - Tube Organizer
How to Ask Questions the Smart Way FAQ
Mckenzie John
Greenhorn

Joined: Sep 21, 2012
Posts: 16
Hi,

I have a problem with my Logout functionality in my application which using CAS integrated with Spring security. My spring configuration is as below:

<bean id="logoutFilter" class="org.springframework.security.web.authentica tion.logout.LogoutFilter">
<!-- URL redirected to after logout success -->
<constructor-arg value="https://casURL/cas-server-webapp-3.5.1/logout?service=applnURL"/>

<constructor-arg>
<list>
<bean class="org.springframework.security.web.authentica tion.logout.SecurityContextLogoutHandler"/>
<bean class="com.blah.blah.sso.logout.CustomLogoutHandle r"/>
</list>
</constructor-arg>
</bean>

On clicking of the Logout link in my application URL with URl /j_spring_security_logout which invalidates session in SecurityContextLogoutHandler and redirects to the service as in the constructor. Our expected behaviour is that the CAS must log itself out ,invalidate session both in CAS and application and redirect to the service configured as above.

What actually happens is that i am getting the service URL getting called but CAS is not creating the ST for the valid user i give at THIS point of time in the CAS login page.

Any help please.

Thanks,
Mckenzie
Bill Gorder
Bartender

Joined: Mar 07, 2010
Posts: 1648
    
    7

This thread has already been marked as resolved. Please start new threads for new questions.


[How To Ask Questions][Read before you PM me]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Spring Security - After logout able to access application through url
 
Similar Threads
"Spring Security Application" Initiated by Apache
404 in using acegi security with Spring
Spring security multiple login pages
How to bypass spring secuirty setup for Javascript files and Struts2 ajax (DOJO) files?
force https in spring security 3