All,

I have been looking for a way to issue a logout commnad with acegi. Is there something I am missing? I tried to just invalidate the session, but that doesn't seem to do it.

Thanks in advance.

Dan

In your controller set ContextHolder to null.

AutoIntegrationFilter or whatever subclass of AbstractIntegrationFilter you're using will overwrite the HttpSession (or other well-known location) at the end of the web request.

Ben,

Thanks, I will give it a try.

Dan

Do you mean to say you set the Context on the ContextHolder to null?

Yes, sorry.

I've created a HttpSessionListener that sets the Context to null on session invalidation.

Here's it is:


package net.sf.acegisecurity.ui;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

import javax.servlet.http.HttpSessionEvent;
import javax.servlet.http.HttpSessionListener;


/**
* @author Andreas Brenk
*/
public class AbstractIntegrationListener implements HttpSessionListener {

//~ Static fields/initializers ---------------------------------------------

protected static final Log logger = LogFactory.getLog(AbstractIntegrationListener.clas s);

//~ Methods ----------------------------------------------------------------

/**
* @see javax.servlet.http.HttpSessionListener#sessionCrea ted(javax.servlet.http.HttpSessionEvent)
*/
public void sessionCreated(HttpSessionEvent se) {
}

/**
* @see javax.servlet.http.HttpSessionListener#sessionDest royed(javax.servlet.http.HttpSessionEvent)
*/
public void sessionDestroyed(HttpSessionEvent se) {
}
}


and

package net.sf.acegisecurity.ui.webapp;

import net.sf.acegisecurity.context.ContextHolder;
import net.sf.acegisecurity.ui.AbstractIntegrationListene r;

import javax.servlet.http.HttpSessionEvent;


/**
* In web.xml:
*
* <listener&gt;
* <listener-class&gt;net.sf.acegisecurity.ui.webapp.HttpSessionIn tegrationListener</listener-class&gt;
* </listener&gt;
*
* @author Andreas Brenk
*/
public class HttpSessionIntegrationListener
extends AbstractIntegrationListener {

//~ Methods ----------------------------------------------------------------

public void sessionDestroyed(HttpSessionEvent se) {

if (logger.isInfoEnabled()) {
logger.info("Removing Context from ContextHolder");
}

ContextHolder.setContext(null);
}
}


I'd be delighted if it could be included in the official release.

Regards,
Andreas

If AbstractIntegrationFilter is working properly, it will automatically ContextHolder.setContext(null) at the end of each request. As such what value does a HttpSessionListener add?

In 0.50 I simply called request.getSession().invalidate() during logout and everything was fine. After an upgrade to 0.51 this produced "IllegalStateException: Cannot create a session after the response has been committed". The Listener was my solution.

This way the controller also would not be directly coupled to ContextHolder.

But please correct me, I'm always keen to learn.

AB

You can provide a logout function by simply invalidating the HttpSession. As the request will still end normally, the AbstractIntegrationFilter will tidy up the ContextHolder (set it to null) and the session invalidation takes care of removing the HttpSession-stored Authentication object.

So I still can't see any reason to use a HttpSessionListener for the purpose of logout in a normal situation. Some people might need it though, it they had very special needs like tracking simultaneous logins etc.

i know this was asked a long time ago, but i think invalidating the session doesn't always work for some people. this worked for me.


import org.acegisecurity.context.SecurityContextHolder;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.mvc.AbstractContro ller;

public class LogoutController extends AbstractController {

private String redirect;

public String getRedirect() {
return redirect;
}

@Override
protected ModelAndView handleRequestInternal(HttpServletRequest request,
HttpServletResponse response) throws Exception {

SecurityContextHolder.getContext().setAuthenticati on(null);

return new ModelAndView(redirect);
}

public void setRedirect(String redirect) {
this.redirect = redirect;
}

}

Logout functionality is now provided through the LogoutFilter.