BAEL-3969 Spring Security - Custom Logout Handler

spring-security-modules/spring-security-mvc-boot-2/src/main/java/com/baeldung/customlogouthandler/LogoutDemoApplication.java

@@ -0,0 +1,13 @@
+package com.baeldung.customlogouthandler;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class LogoutDemoApplication {
+
+	public static void main(String[] args) {
+		SpringApplication.run(LogoutDemoApplication.class, args);
+	}
+
+}

spring-security-modules/spring-security-mvc-boot-2/src/main/java/com/baeldung/customlogouthandler/MvcConfiguration.java

@@ -0,0 +1,51 @@
+package com.baeldung.customlogouthandler;
+
+import com.baeldung.customlogouthandler.web.CustomLogoutHandler;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;
+import org.springframework.http.HttpStatus;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.web.authentication.logout.HttpStatusReturningLogoutSuccessHandler;
+
+import javax.sql.DataSource;
+
+@Configuration
+@EnableWebSecurity
+public class MvcConfiguration extends WebSecurityConfigurerAdapter {
+
+    @Autowired
+    private DataSource dataSource;
+
+    @Autowired
+    private CustomLogoutHandler logoutHandler;
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http
+                .httpBasic().and()
+                .authorizeRequests()
+                .antMatchers(HttpMethod.GET, "/user/**").hasRole("USER")
+                .and()
+                    .logout()
+                    .logoutUrl("/user/logout")
+                    .addLogoutHandler(logoutHandler)
+                    .logoutSuccessHandler((new HttpStatusReturningLogoutSuccessHandler(HttpStatus.OK)))
+                    .permitAll()
+                .and()
+                .csrf().disable()
+                .formLogin().disable();
+    }
+
+    @Override
+    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+        auth.jdbcAuthentication()
+                .dataSource(dataSource)
+                .usersByUsernameQuery("select login, password, true from users where login=?")
+                .authoritiesByUsernameQuery("select login, role from users where login=?");
+    }
+
+}

spring-security-modules/spring-security-mvc-boot-2/src/main/java/com/baeldung/customlogouthandler/services/UserCache.java

@@ -0,0 +1,33 @@
+package com.baeldung.customlogouthandler.services;
+
+import com.baeldung.customlogouthandler.user.User;
+import org.springframework.stereotype.Service;
+
+import javax.persistence.EntityManager;
+import javax.persistence.PersistenceContext;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.ConcurrentMap;
+
+@Service
+public class UserCache {
+
+    @PersistenceContext
+    private EntityManager entityManager;
+
+    private final ConcurrentMap<String, User> store = new ConcurrentHashMap<>(256);
+
+    public User getByLogin(String login) {
+        return store.computeIfAbsent(login, k -> entityManager.createQuery("from User where login=:login", User.class)
+                .setParameter("login", k)
+                .getSingleResult());
+    }
+
+    public void evictUser(String login) {
+        store.remove(login);
+    }
+
+    public int size() {
+        return this.store.size();
+    }
+
+}

spring-security-modules/spring-security-mvc-boot-2/src/main/java/com/baeldung/customlogouthandler/user/User.java

@@ -0,0 +1,61 @@
+package com.baeldung.customlogouthandler.user;
+
+import javax.persistence.*;
+
+@Entity
+@Table(name = "users")
+public class User {
+
+    @Id
+    @GeneratedValue(strategy = GenerationType.IDENTITY)
+    private Integer id;
+
+    @Column(unique = true)
+    private String login;
+
+    private String password;
+
+    private String role;
+
+    private String language;
+
+    public Integer getId() {
+        return id;
+    }
+
+    public void setId(Integer id) {
+        this.id = id;
+    }
+
+    public String getLogin() {
+        return login;
+    }
+
+    public void setLogin(String login) {
+        this.login = login;
+    }
+
+    public String getPassword() {
+        return password;
+    }
+
+    public void setPassword(String password) {
+        this.password = password;
+    }
+
+    public String getRole() {
+        return role;
+    }
+
+    public void setRole(String role) {
+        this.role = role;
+    }
+
+    public String getLanguage() {
+        return language;
+    }
+
+    public void setLanguage(String language) {
+        this.language = language;
+    }
+}

spring-security-modules/spring-security-mvc-boot-2/src/main/java/com/baeldung/customlogouthandler/user/UserUtils.java

@@ -0,0 +1,13 @@
+package com.baeldung.customlogouthandler.user;
+
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+
+public class UserUtils {
+
+    public static String getAuthenticatedUserLogin() {
+        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
+        return auth != null ? ((org.springframework.security.core.userdetails.User) auth.getPrincipal()).getUsername() : null;
+    }
+
+}

spring-security-modules/spring-security-mvc-boot-2/src/main/java/com/baeldung/customlogouthandler/web/CustomLogoutHandler.java

@@ -0,0 +1,27 @@
+package com.baeldung.customlogouthandler.web;
+
+import com.baeldung.customlogouthandler.services.UserCache;
+import com.baeldung.customlogouthandler.user.UserUtils;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.web.authentication.logout.LogoutHandler;
+import org.springframework.stereotype.Service;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+@Service
+public class CustomLogoutHandler implements LogoutHandler {
+
+    private final UserCache userCache;
+
+    public CustomLogoutHandler(UserCache userCache) {
+        this.userCache = userCache;
+    }
+
+    @Override
+    public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
+        String login = UserUtils.getAuthenticatedUserLogin();
+        userCache.evictUser(login);
+    }
+
+}

spring-security-modules/spring-security-mvc-boot-2/src/main/java/com/baeldung/customlogouthandler/web/UserController.java

@@ -0,0 +1,30 @@
+package com.baeldung.customlogouthandler.web;
+
+import com.baeldung.customlogouthandler.services.UserCache;
+import com.baeldung.customlogouthandler.user.User;
+import com.baeldung.customlogouthandler.user.UserUtils;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+
+@Controller
+@RequestMapping(path = "/user")
+public class UserController {
+
+    private final UserCache userCache;
+
+    public UserController(UserCache userCache) {
+        this.userCache = userCache;
+    }
+
+    @GetMapping(path = "/language")
+    @ResponseBody
+    public String getLanguage() {
+        String login = UserUtils.getAuthenticatedUserLogin();
+        User user = userCache.getByLogin(login);
+        return user.getLanguage();
+    }
+
+}

spring-security-modules/spring-security-mvc-boot-2/src/main/resources/application-customlogouthandler.properties

@@ -0,0 +1,5 @@
+spring.datasource.url=jdbc:postgresql://localhost:5432/test
+spring.datasource.username=test
+spring.datasource.password=test
+
+spring.jpa.hibernate.ddl-auto=create

spring-security-modules/spring-security-mvc-boot-2/src/test/java/com/baeldung/customlogouthandler/CustomLogoutHandlerIntegrationTest.java

@@ -0,0 +1,106 @@
+package com.baeldung.customlogouthandler;
+
+import com.baeldung.customlogouthandler.services.UserCache;
+import org.junit.jupiter.api.Test;
+import org.junit.runner.RunWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.test.web.client.TestRestTemplate;
+import org.springframework.boot.web.server.LocalServerPort;
+import org.springframework.http.HttpEntity;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.HttpMethod;
+import org.springframework.http.ResponseEntity;
+import org.springframework.test.context.jdbc.Sql;
+import org.springframework.test.context.jdbc.SqlGroup;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+@RunWith(SpringJUnit4ClassRunner.class)
+@SpringBootTest(classes = {LogoutDemoApplication.class, MvcConfiguration.class}, webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
+@SqlGroup({
+		@Sql(value = "classpath:customlogouthandler/before.sql", executionPhase = Sql.ExecutionPhase.BEFORE_TEST_METHOD),
+		@Sql(value = "classpath:customlogouthandler/after.sql", executionPhase = Sql.ExecutionPhase.AFTER_TEST_METHOD)
+})
+class CustomLogoutHandlerIntegrationTest {
+
+	@Autowired
+	private TestRestTemplate restTemplate;
+
+	@Autowired
+	private UserCache userCache;
+
+	@LocalServerPort
+	private int port;
+
+	@Test
+	public void whenLogin_thenUseUserCache() throws Exception {
+	// User cache should be empty on start
+	assertThat(userCache.size()).isEqualTo(0);
+
+	// Request using first login
+	ResponseEntity<String> response = restTemplate
+			.withBasicAuth("user", "pass")
+			.getForEntity(getLanguageUrl(), String.class);
+
+	assertThat(response.getBody()).contains("english");
+
+	// User cache must contain the user
+	assertThat(userCache.size()).isEqualTo(1);
+
+	// Getting the session cookie
+	HttpHeaders requestHeaders = new HttpHeaders();
+	requestHeaders.add("Cookie", response.getHeaders().getFirst(HttpHeaders.SET_COOKIE));
+
+	// Request with the session cookie
+	response = restTemplate
+			.exchange(getLanguageUrl(), HttpMethod.GET, new HttpEntity(requestHeaders), String.class);
+	assertThat(response.getBody()).contains("english");
+
+	// Logging out using the session cookies
+	response = restTemplate.exchange(getLogoutUrl(), HttpMethod.GET, new HttpEntity(requestHeaders), String.class);
+	assertThat(response.getStatusCode().value()).isEqualTo(200);
+	}
+
+	@Test
+	public void whenLogout_thenCacheIsEmpty() throws Exception {
+	// User cache should be empty on start
+	assertThat(userCache.size()).isEqualTo(0);
+
+	// Request using first login
+	ResponseEntity<String> response = restTemplate
+			.withBasicAuth("user", "pass")
+			.getForEntity(getLanguageUrl(), String.class);
+
+	assertThat(response.getBody()).contains("english");
+
+	// User cache must contain the user
+	assertThat(userCache.size()).isEqualTo(1);
+
+	// Getting the session cookie
+	HttpHeaders requestHeaders = new HttpHeaders();
+	requestHeaders.add("Cookie", response.getHeaders().getFirst(HttpHeaders.SET_COOKIE));
+
+	// Logging out using the session cookies
+	response = restTemplate.exchange(getLogoutUrl(), HttpMethod.GET, new HttpEntity(requestHeaders), String.class);
+	assertThat(response.getStatusCode().value()).isEqualTo(200);
+
+	// User cache must be empty now
+	// this is the reaction on custom logout filter execution
+	assertThat(userCache.size()).isEqualTo(0);
+
+	// Assert unathorized request
+	response = restTemplate.exchange(getLanguageUrl(), HttpMethod.GET, new HttpEntity(requestHeaders), String.class);
+	assertThat(response.getStatusCode().value()).isEqualTo(401);
+	}
+
+	private String getLanguageUrl() {
+		return "http://localhost:" + port + "/user/language";
+	}
+
+	private String getLogoutUrl() {
+		return "http://localhost:" + port + "/user/logout";
+	}
+
+}

spring-security-modules/spring-security-mvc-boot-2/src/test/resources/customlogouthandler/after.sql

@@ -0,0 +1 @@
+delete from users;

spring-security-modules/spring-security-mvc-boot-2/src/test/resources/customlogouthandler/application.properties

@@ -0,0 +1,5 @@
+spring.datasource.url=jdbc:postgresql://localhost:5432/develop
+spring.datasource.username=develop
+spring.datasource.password=develop
+
+spring.jpa.hibernate.ddl-auto=create

spring-security-modules/spring-security-mvc-boot-2/src/test/resources/customlogouthandler/before.sql

@@ -0,0 +1 @@
+insert into users (login, password, role, language) values ('user', '{noop}pass', 'ROLE_USER', 'english');