2

I've successfully integrated SiteMinder with Spring Security. However, Spring Security's logout URL doesn't apply to SiteMinder.

Spring Security

<logout delete-cookies="JSESSIONID" logout-success-url="/" invalidate-session="true" />

Spring Security Logout URL

<a href="<c:url value="j_spring_security_logout" />" > Logout</a>

Any suggestions which URL to use for SiteMinder/PreAuthentication?

Community
  • 1
  • 1
user2601995
  • 6,463
  • 8
  • 37
  • 41

1 Answers1

4

Checked the http header. SiteMinder sets their Cookie to SMSESSION by default. However this cookie isn't controlled by Spring Security. SiteMinder must deploy a logout URL and configured accordingly.

Solution:

<logout delete-cookies="JSESSIONID,SMSESSION" logout-success-url="/" invalidate-session="true" logout-url="/logout.html"/>

If you want to delete multiple cookies separate them using commas.

The delete-cookies attribute

A comma-separated list of the names of cookies which should be deleted when the user logs out.

Reference: http://docs.spring.io/spring-security/site/docs/3.1.x/reference/springsecurity-single.html

user2601995
  • 6,463
  • 8
  • 37
  • 41
  • That works great for a simple case but when you are dealing with federation where you the identity provider is accessed from another FQDN, you can't delete it's cookie. So, it will destroy the local session but you won't be logged off (a simple access will rebuild the session without asking credential). – rsabir Oct 11 '16 at 15:30