diff --git a/spring-5-security/src/main/java/com/baeldung/manuallogout/BasicAuthController.java b/spring-5-security/src/main/java/com/baeldung/manuallogout/BasicAuthController.java deleted file mode 100644 index 8f01940dce..0000000000 --- a/spring-5-security/src/main/java/com/baeldung/manuallogout/BasicAuthController.java +++ /dev/null @@ -1,32 +0,0 @@ -package com.baeldung.manuallogout; - -import org.springframework.security.core.context.SecurityContextHolder; -import org.springframework.stereotype.Controller; -import org.springframework.web.bind.annotation.RequestMapping; -import org.springframework.web.bind.annotation.RequestMethod; - -import javax.servlet.http.Cookie; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import javax.servlet.http.HttpSession; - -@Controller -public class BasicAuthController { - - @RequestMapping(value = {"/basiclogout"}, method = RequestMethod.POST) - public String logout(HttpServletRequest request, HttpServletResponse response) { - HttpSession session; - SecurityContextHolder.clearContext(); - session = request.getSession(false); - if (session != null) { - session.invalidate(); - } - for (Cookie cookie : request.getCookies()) { - String cookieName = cookie.getName(); - Cookie cookieToDelete = new Cookie(cookieName, null); - cookieToDelete.setMaxAge(0); - response.addCookie(cookieToDelete); - } - return "redirect:/login?logout"; - } -} diff --git a/spring-5-security/src/main/java/com/baeldung/manuallogout/ClearSiteDataController.java b/spring-5-security/src/main/java/com/baeldung/manuallogout/ClearSiteDataController.java deleted file mode 100644 index 7eef397da3..0000000000 --- a/spring-5-security/src/main/java/com/baeldung/manuallogout/ClearSiteDataController.java +++ /dev/null @@ -1,29 +0,0 @@ -package com.baeldung.manuallogout; - -import org.springframework.security.core.Authentication; -import org.springframework.security.core.context.SecurityContextHolder; -import org.springframework.security.web.authentication.logout.HeaderWriterLogoutHandler; -import org.springframework.security.web.header.writers.ClearSiteDataHeaderWriter; -import org.springframework.security.web.header.writers.ClearSiteDataHeaderWriter.Directive; -import org.springframework.stereotype.Controller; -import org.springframework.web.bind.annotation.RequestMapping; -import org.springframework.web.bind.annotation.RequestMethod; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -@Controller -public class ClearSiteDataController { - - Directive[] SOURCE = {Directive.COOKIES, Directive.STORAGE, Directive.EXECUTION_CONTEXTS, Directive.CACHE}; - - @RequestMapping(value = {"/csdlogout"}, method = RequestMethod.POST) - public String logout(HttpServletRequest request, HttpServletResponse response) { - Authentication auth = SecurityContextHolder.getContext().getAuthentication(); - if (auth != null) { - ClearSiteDataHeaderWriter csdHeaderWriter = new ClearSiteDataHeaderWriter(SOURCE); - new HeaderWriterLogoutHandler(csdHeaderWriter).logout(request, response, auth); - } - return "redirect:/login?logout"; - } -} diff --git a/spring-5-security/src/main/java/com/baeldung/manuallogout/SimpleSecurityConfiguration.java b/spring-5-security/src/main/java/com/baeldung/manuallogout/SimpleSecurityConfiguration.java index 6f14f6fca2..63394b64f2 100644 --- a/spring-5-security/src/main/java/com/baeldung/manuallogout/SimpleSecurityConfiguration.java +++ b/spring-5-security/src/main/java/com/baeldung/manuallogout/SimpleSecurityConfiguration.java @@ -1,39 +1,80 @@ package com.baeldung.manuallogout; import org.springframework.context.annotation.Configuration; +import org.springframework.core.annotation.Order; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.web.authentication.logout.CookieClearingLogoutHandler; +import org.springframework.security.web.authentication.logout.HeaderWriterLogoutHandler; +import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler; +import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices; +import org.springframework.security.web.header.writers.ClearSiteDataHeaderWriter; + +import javax.servlet.http.Cookie; + +import static org.springframework.security.web.header.writers.ClearSiteDataHeaderWriter.Directive.*; @Configuration @EnableWebSecurity -public class SimpleSecurityConfiguration extends WebSecurityConfigurerAdapter { +public class SimpleSecurityConfiguration { - @Override - protected void configure(HttpSecurity http) throws Exception { - http.formLogin() - .loginProcessingUrl("/login") - .loginPage("/login") - .usernameParameter("username") - .passwordParameter("password") - .defaultSuccessUrl("/") - .failureUrl("/login?error"); + @Order(3) + @Configuration + public static class DefaultLogoutConfiguration extends WebSecurityConfigurerAdapter { + @Override + protected void configure(HttpSecurity http) throws Exception { + http + .antMatcher("/basic/**") + .authorizeRequests(authz -> authz.anyRequest().permitAll()) + .logout(logout -> logout + .logoutUrl("/basic/basiclogout") + .addLogoutHandler(new SecurityContextLogoutHandler()) + .addLogoutHandler(new CookieClearingLogoutHandler(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY)) + ); + } } - @Override - protected void configure(AuthenticationManagerBuilder auth) throws Exception { - auth.inMemoryAuthentication() - .withUser("user") - .password("password") - .roles("USER") - .and() - .withUser("manager") - .password("password") - .credentialsExpired(true) - .accountExpired(true) - .accountLocked(true) - .authorities("WRITE_PRIVILEGES", "READ_PRIVILEGES") - .roles("MANAGER"); + @Order(2) + @Configuration + public static class AllCookieClearingLogoutConfiguration extends WebSecurityConfigurerAdapter { + @Override + protected void configure(HttpSecurity http) throws Exception { + http + .antMatcher("/cookies/**") + .authorizeRequests(authz -> authz.anyRequest().permitAll()) + .logout(logout -> logout + .logoutUrl("/cookies/cookielogout") + .addLogoutHandler(new SecurityContextLogoutHandler()) + .addLogoutHandler((request, response, auth) -> { + for (Cookie cookie : request.getCookies()) { + String cookieName = cookie.getName(); + Cookie cookieToDelete = new Cookie(cookieName, null); + cookieToDelete.setMaxAge(0); + response.addCookie(cookieToDelete); + } + } + )); + } + } + + @Order(1) + @Configuration + public static class ClearSiteDataHeaderLogoutConfiguration extends WebSecurityConfigurerAdapter { + + private static final ClearSiteDataHeaderWriter.Directive[] SOURCE = + { CACHE, COOKIES, STORAGE, EXECUTION_CONTEXTS }; + + @Override + protected void configure(HttpSecurity http) throws Exception { + http + .antMatcher("/csd/**") + .authorizeRequests(authz -> authz.anyRequest().permitAll()) + .logout(logout -> logout + .logoutUrl("/csd/csdlogout") + .addLogoutHandler(new HeaderWriterLogoutHandler(new ClearSiteDataHeaderWriter(SOURCE))) + ); + } } } diff --git a/spring-5-security/src/test/java/com/baeldung/manuallogout/ManualLogoutIntegrationTest.java b/spring-5-security/src/test/java/com/baeldung/manuallogout/ManualLogoutIntegrationTest.java index a64cb82910..09e7daf877 100644 --- a/spring-5-security/src/test/java/com/baeldung/manuallogout/ManualLogoutIntegrationTest.java +++ b/spring-5-security/src/test/java/com/baeldung/manuallogout/ManualLogoutIntegrationTest.java @@ -7,6 +7,7 @@ import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest; import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpSession; import org.springframework.security.test.context.support.WithMockUser; +import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices; import org.springframework.test.context.junit4.SpringRunner; import org.springframework.test.web.servlet.MockMvc; @@ -36,7 +37,22 @@ public class ManualLogoutIntegrationTest { @WithMockUser(value = "spring") @Test - public void givenLoggedUserWhenUserLogoutThenSessionCleared() throws Exception { + public void givenLoggedUserWhenUserLogoutThenSessionClearedAndNecessaryCookieCleared() throws Exception { + + MockHttpServletRequest requestStateAfterLogout = this.mockMvc.perform(post("/basic/basiclogout").secure(true).with(csrf())) + .andExpect(status().is3xxRedirection()) + .andExpect(unauthenticated()) + .andExpect(cookie().maxAge(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY, 0)) + .andReturn() + .getRequest(); + + HttpSession sessionStateAfterLogout = requestStateAfterLogout.getSession(); + assertNull(sessionStateAfterLogout.getAttribute(ATTRIBUTE_NAME)); + } + + @WithMockUser(value = "spring") + @Test + public void givenLoggedUserWhenUserLogoutThenSessionClearedAndAllCookiesCleared() throws Exception { MockHttpSession session = new MockHttpSession(); session.setAttribute(ATTRIBUTE_NAME, ATTRIBUTE_VALUE); @@ -44,7 +60,7 @@ public class ManualLogoutIntegrationTest { Cookie randomCookie = new Cookie(COOKIE_NAME, COOKIE_VALUE); randomCookie.setMaxAge(EXPIRY); // 10 minutes - MockHttpServletRequest requestStateAfterLogout = this.mockMvc.perform(post("/basiclogout").secure(true).with(csrf()).session(session).cookie(randomCookie)) + MockHttpServletRequest requestStateAfterLogout = this.mockMvc.perform(post("/cookies/cookielogout").secure(true).with(csrf()).session(session).cookie(randomCookie)) .andExpect(status().is3xxRedirection()) .andExpect(unauthenticated()) .andExpect(cookie().maxAge(COOKIE_NAME, 0)) @@ -53,15 +69,13 @@ public class ManualLogoutIntegrationTest { HttpSession sessionStateAfterLogout = requestStateAfterLogout.getSession(); assertNull(sessionStateAfterLogout.getAttribute(ATTRIBUTE_NAME)); - - } @WithMockUser(value = "spring") @Test public void givenLoggedUserWhenUserLogoutThenClearDataSiteHeaderPresent() throws Exception { - this.mockMvc.perform(post("/csdlogout").secure(true).with(csrf())) + this.mockMvc.perform(post("/csd/csdlogout").secure(true).with(csrf())) .andDo(print()) .andExpect(status().is3xxRedirection()) .andExpect(header().exists(CLEAR_SITE_DATA_HEADER))