We are looking for a way to implement a custom logout filter in our application which has a CAS setup. Our requirement is to have the session cleared both in CAS and the application from where our logout is called from. I am a newbie to Spring security. I understand from some of the sites that we may need to write our own custom logout handler which implements LogoutHandler. My Spring config file looks lie
<bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<!-- URL redirected to after logout success -->
<constructor-arg value="URL to Which i want to redirect on successful logout"/>
I would like to have some help in the following areas:
1) any pointers which can help me the functionality of the logout action in Spring security context.
2) A simple example of how to write a custom logout handler with which i can invalidate the session created.
3) Help on the part of invalidating session in CAS along with this code will be much appreciated.
You wouldn't set it in the filter. I believe the <security:logout> tag has a property/attribute to point to your bean that is a class that implements LogoutHandler. The only time I have done LogoutHandler was in conjunction with customized RememberMeService implementation.