Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-26 05:42:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

SEC-340: Invalidate HttpSession on logout.

Browse Source
This commit is contained in:
Ben Alex 2006-09-29 06:45:40 +00:00
parent db96650d99
commit cc03675776
1 changed files with 35 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
core/src/main/java/org/acegisecurity/ui/logout/SecurityContextLogoutHandler.java
View File

@ -18,28 +18,60 @@ package org.acegisecurity.ui.logout;
import org.acegisecurity.Authentication; import org.acegisecurity.Authentication;
import org.acegisecurity.context.SecurityContextHolder; import org.acegisecurity.context.SecurityContextHolder;
import org.springframework.util.Assert;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
/** /**
* Performs a logout by modifying the {@link org.acegisecurity.context.SecurityContextHolder}. * Performs a logout by modifying the {@link org.acegisecurity.context.SecurityContextHolder}.
* *
* <p>Will also invalidate the {@link HttpSession} if {@link #isInvalidateHttpSession()} is
* <code>true</code> and the session is not <code>null</code>.
*
* @author Ben Alex * @author Ben Alex
* @version $Id$ * @version $Id$
*/ */
public class SecurityContextLogoutHandler implements LogoutHandler { public class SecurityContextLogoutHandler implements LogoutHandler {
//~ Methods ======================================================================================================== //~ Methods ========================================================================================================
private boolean invalidateHttpSession = true;
/** /**
* Does not use any arguments. They can all be <code>null</code>. * Requires the request to be passed in.
* *
* @param request not used (can be <code>null</code>) * @param request from which to obtain a HTTP session (cannot be null)
* @param response not used (can be <code>null</code>) * @param response not used (can be <code>null</code>)
* @param authentication not used (can be <code>null</code>) * @param authentication not used (can be <code>null</code>)
*/ */
public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) { public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
SecurityContextHolder.clearContext(); Assert.notNull(request, "HttpServletRequest required");
if (invalidateHttpSession) {
HttpSession session = request.getSession(false);
if (session != null) {
session.invalidate();
}
}
SecurityContextHolder.clearContext();
} }
public boolean isInvalidateHttpSession() {
return invalidateHttpSession;
}
/**
* Causes the {@link HttpSession} to be invalidated when this
* {@link LogoutHandler} is invoked. Defaults to true.
*
* @param invalidateHttpSession true if you wish the session to be
* invalidated (default) or false if it should not be
*/
public void setInvalidateHttpSession(boolean invalidateHttpSession) {
this.invalidateHttpSession = invalidateHttpSession;
}
} }