From 9f45f95fab9101d7910531ba4c0a6ecd60f5aeaa Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Thu, 31 Jan 2008 15:48:04 +0000 Subject: [PATCH] SEC-491: Add alternative options for determining logout URL. --- .../security/ui/logout/LogoutFilter.java | 32 +++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/core/src/main/java/org/springframework/security/ui/logout/LogoutFilter.java b/core/src/main/java/org/springframework/security/ui/logout/LogoutFilter.java index f5a002bf0c..3f79fc9b4c 100644 --- a/core/src/main/java/org/springframework/security/ui/logout/LogoutFilter.java +++ b/core/src/main/java/org/springframework/security/ui/logout/LogoutFilter.java @@ -30,6 +30,7 @@ import org.springframework.security.context.SecurityContextHolder; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.springframework.util.Assert; +import org.springframework.util.StringUtils; /** * Logs a principal out. @@ -64,7 +65,6 @@ public class LogoutFilter extends SpringSecurityFilter { //~ Constructors =================================================================================================== public LogoutFilter(String logoutSuccessUrl, LogoutHandler[] handlers) { - Assert.hasText(logoutSuccessUrl, "LogoutSuccessUrl required"); Assert.notEmpty(handlers, "LogoutHandlers are required"); this.logoutSuccessUrl = logoutSuccessUrl; this.handlers = handlers; @@ -86,7 +86,9 @@ public class LogoutFilter extends SpringSecurityFilter { handlers[i].logout(request, response, auth); } - sendRedirect(request, response, logoutSuccessUrl); + String targetUrl = determineTargetUrl(request, response); + + sendRedirect(request, response, targetUrl); return; } @@ -125,6 +127,32 @@ public class LogoutFilter extends SpringSecurityFilter { return uri.endsWith(request.getContextPath() + filterProcessesUrl); } + /** + * Returns the target URL to redirect to after logout. + *

+ * By default it will check for a logoutSuccessUrl parameter in + * the request and use this. If that isn't present it will use the configured logoutSuccessUrl. If this + * hasn't been set it will check the Referer header and use the URL from there. + * + */ + protected String determineTargetUrl(HttpServletRequest request, HttpServletResponse response) { + String targetUrl = request.getParameter("logoutSuccessUrl"); + + if(!StringUtils.hasLength(targetUrl)) { + targetUrl = logoutSuccessUrl; + } + + if (!StringUtils.hasLength(targetUrl)) { + targetUrl = request.getHeader("Referer"); + } + + if (!StringUtils.hasLength(targetUrl)) { + targetUrl = "/"; + } + + return targetUrl; + } + /** * Allow subclasses to modify the redirection message. *