I am using Basic Authentication and Want to invalidate the session (Spring Security)

Question

Here is ApplicationContext-security.xml Default Spring logout filter is defined for it which do not invalidates the session after logout link is clicked the user credentials are stored by browser even after logout link is clicked

    <?xml version="1.0" encoding="UTF-8"?>
    <beans:beans xmlns="http://www.springframework.org/schema/security"
        xmlns:beans="http://www.springframework.org/schema/beans"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://www.springframework.org/schema/beans 
        http://www.springframework.org/schema/beans/spring-beans-4.3.xsd 
        http://www.springframework.org/schema/security 
        http://www.springframework.org/schema/security/spring-security-4.2.xsd">
        <beans:import resource="classpath:odk-security-settings.xml"/>
        <beans:bean id="basicAuthenticationMessageDigestPasswordEncoder"
                class="org.springframework.security.authentication.encoding.ShaPasswordEncoder"/>
        <http use-expressions="true">
        </http>
        <filter-security-metadata-source id="securityPolicy" use-expressions="true">
            <intercept-url pattern="/logout.html" access="true" />
            <intercept-url pattern="/multimode_login.html" access="true" />
            <intercept-url pattern="/relogin.html" access="true" />
            <intercept-url pattern="/local_login.html" access="isFullyAuthenticated() and hasAuthority('AUTH_LOCAL')" />
            <intercept-url pattern="/www/**" access="hasRole('ROLE_USER')" />
            <intercept-url pattern="/roles/granted" access="isFullyAuthenticated() and hasRole('ROLE_USER')" />
            <intercept-url pattern="/odktables/*/tables/*/ref/*" access="hasRole('ROLE_SYNCHRONIZE_TABLES')" method="GET" />
        </filter-security-metadata-source>
        <beans:bean id="serverSpringSecurityFilterChain"
            class="org.springframework.security.web.FilterChainProxy">
            <beans:constructor-arg>
                <beans:list>
                    <beans:bean class="org.springframework.security.web.DefaultSecurityFilterChain">
                        <beans:constructor-arg>
                            <beans:bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
                                <beans:constructor-arg type="java.lang.String" value="/local_login.html"/>
                            </beans:bean>
                        </beans:constructor-arg>
                        <beans:constructor-arg>
                            <beans:list>
                                <beans:ref bean="channelProcessingFilter"/>
                                <beans:ref bean="securityContextPersistenceFilter"/>
                                <beans:ref bean="logoutFilter"/>
                                <beans:ref bean="oauth2ResourceFilter"/>
                                <beans:ref bean="oobAuthFilter"/>
                                <beans:ref bean="${security.server.deviceAuthentication}AuthFilter"/>
                                <beans:ref bean="requestCacheAwareFilter"/>
                                <beans:ref bean="anonymousFilter"/>
                                <beans:ref bean="securityContextHolderAwareFilter"/>
                                <beans:ref bean="sessionManagerFilter"/>
                                <beans:ref bean="localExceptionTranslationFilter"/>
                                <beans:ref bean="filterSecurityInterceptor"/>
                            </beans:list>
                        </beans:constructor-arg>
                    </beans:bean>
                    <beans:bean class="org.springframework.security.web.DefaultSecurityFilterChain">
                        <beans:constructor-arg>
                            <beans:bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
                                <beans:constructor-arg type="java.lang.String" value="/**"/>
                            </beans:bean>
                        </beans:constructor-arg>
                        <beans:constructor-arg>
                            <beans:list>
                                <beans:ref bean="channelProcessingFilter"/>
                                <beans:ref bean="securityContextPersistenceFilter"/>
                                <beans:ref bean="logoutFilter"/>
                                <beans:ref bean="oauth2ResourceFilter"/>
                                <beans:ref bean="oobAuthFilter"/>
                                <beans:ref bean="${security.server.deviceAuthentication}AuthFilter"/>
                                <beans:ref bean="requestCacheAwareFilter"/> 
                                <beans:ref bean="anonymousFilter"/>
                                <beans:ref bean="securityContextHolderAwareFilter"/>
                                <beans:ref bean="sessionManagerFilter"/>
                                <beans:ref bean="exceptionTranslationFilter"/>
                                <beans:ref bean="filterSecurityInterceptor"/>
                            </beans:list>
                        </beans:constructor-arg>
                    </beans:bean>
                </beans:list>
            </beans:constructor-arg>
        </beans:bean>
        <beans:bean id="channelProcessingFilter" class="org.springframework.security.web.access.channel.ChannelProcessingFilter">
          <beans:property name="channelDecisionManager" ref="channelDecisionManager"/>
          <beans:property name="securityMetadataSource">
            <filter-security-metadata-source request-matcher="ant" use-expressions="false">
                <intercept-url pattern="/logout.html" access="${security.server.channelType}" />
                <intercept-url pattern="/multimode_login.html" access="${security.server.channelType}" />
                <intercept-url pattern="/relogin.html" access="${security.server.channelType}" />
                <intercept-url pattern="/ssl/**" access="${security.server.secureChannelType}"/>
                <intercept-url pattern="/local_login.html" access="${security.server.channelType}" />
                <intercept-url pattern="/**" access="${security.server.channelType}"/>
            </filter-security-metadata-source>
          </beans:property>
        </beans:bean>
        <beans:bean id="logoutFilter"
            class="org.springframework.security.web.authentication.logout.LogoutFilter">
            <beans:constructor-arg name="logoutSuccessUrl" value="/logout.html" />
            <beans:constructor-arg name="handlers">
                <beans:list>
                    <beans:bean
                        class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
                        <beans:property name="invalidateHttpSession" value="true"/>
                    </beans:bean>
                </beans:list>
            </beans:constructor-arg>
            <beans:property name="filterProcessesUrl" value="/j_spring_security_logout"/>
        </beans:bean>
        <beans:bean id="anonymousProvider"
            class="org.springframework.security.authentication.AnonymousAuthenticationProvider">
            <beans:constructor-arg type="java.lang.String">
                <beans:bean id="sitePreferencesBean.siteKey" class="org.springframework.beans.factory.config.PropertyPathFactoryBean"/>
            </beans:constructor-arg>
        </beans:bean>
        <beans:bean id="basicAuthFilter"
            class="org.opendatakit.common.security.spring.BasicAuthenticationFilter">
            <beans:constructor-arg>
                <beans:bean class="org.springframework.security.authentication.ProviderManager">
                    <beans:constructor-arg>
                        <beans:list>
                            <beans:ref bean="basicAuthenticationProvider" />
                            <beans:ref bean="anonymousProvider" />
                        </beans:list>
                    </beans:constructor-arg>
                </beans:bean>
            </beans:constructor-arg>
            <beans:constructor-arg ref="basicEntryPoint" />
        </beans:bean>
        <beans:bean id="basicAuthenticationProvider"
            class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
            <beans:property name="passwordEncoder" ref="basicAuthenticationMessageDigestPasswordEncoder" />
            <beans:property name="saltSource">
                <beans:bean class="org.opendatakit.common.security.spring.AggregateUserSaltSource"/>
            </beans:property>
            <beans:property name="userDetailsService" ref="basicLoginService" />
        </beans:bean>
        <beans:bean id="basicLoginService"
            class="org.opendatakit.common.security.spring.UserDetailsServiceImpl">
            <beans:property name="datastore" ref="datastore"/>
            <beans:property name="userService" ref="user_service"/>
            <beans:property name="passwordType" value="BasicAuth"/>
            <beans:property name="credentialType" value="Username"/>
            <beans:property name="authorities">
                <beans:list>
                    <beans:bean class="org.springframework.security.core.authority.SimpleGrantedAuthority">
                        <beans:constructor-arg value="AUTH_LOCAL"/>
                    </beans:bean>
                </beans:list>
            </beans:property>
        </beans:bean>
    </beans:beans>

It is channel based configuration If anything else is needed please let me know

Possible duplicate of [How to log out user from web site using BASIC authentication?](https://stackoverflow.com/questions/233507/how-to-log-out-user-from-web-site-using-basic-authentication) — holmis83, Sep 07 '17 at 19:48

mirmdasif · Answer 1 · 2017-09-07T10:48:20.520

1

spring-security-logout-namespace is exactly there for this.

Logout Url

<http>
        ...
        <logout logout-url="/logout"/> 

</http>

Invalidate Session and Delete Cookie

<http>
    <logout
      logout-url="/logout"
      delete-cookies="JSESSIONID" />
<http/>

edited Sep 07 '17 at 10:48

answered Sep 07 '17 at 10:42

mirmdasif

6,014
2
22
28

can you exactly tell me what changes i have to make for using it – BZT Sep 07 '17 at 12:03
@BZT can you share your xml configuration? – mirmdasif Sep 07 '17 at 12:11
I have made changes in post before and added some more xml configuration – BZT Sep 07 '17 at 13:18

score 1 · Answer 2 · answered Aug 21 '19 at 08:58

You can write your own LogoutHandler, which responses with a ‘401 Unauthorized’ if the session still contains a valid authentication. The browser will display the HTTP basic authorization dialog, where the user can input new credentials or hit the cancel button.

If the user enters valid credentials, he will be logged in. If the user enters wrong credentials, the dialog will appear again. If the user hits the cancel button, the Authentication object in the handler will be null and the response can redirect the browser to a logout page or a page without access restriction like the index.

Handler

public class LogoutHandler extends SimpleUrlLogoutSuccessHandler {

    @Override
    public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response,
                            Authentication authentication) throws IOException, 
    ServletException {
        if (authentication == null) {
            response.sendRedirect(request.getContextPath());
        } else {
            response.sendError(401);
        }
    }

}

WebSecurityConfigurerAdapter

private final LogoutHandler logoutHandler;

@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
    ...
    .and().httpBasic()
    .and().logout()
    .logoutUrl("/logout")
    .logoutSuccessHandler(logoutHandler)
    .invalidateHttpSession(true)
    .deleteCookies("JSESSIONID")
    ...
}

I am using Basic Authentication and Want to invalidate the session (Spring Security)

2 Answers2

Handler

WebSecurityConfigurerAdapter