Package org.springframework.security.web.authentication.logout

Class SecurityContextLogoutHandler

java.lang.Object

org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler

All Implemented Interfaces:

LogoutHandler

public class SecurityContextLogoutHandler
extends java.lang.Object
implements LogoutHandler

Performs a logout by modifying the SecurityContextHolder.

Will also invalidate the HttpSession if isInvalidateHttpSession() is true and the session is not null.

Will also remove the Authentication from the current SecurityContext if clearAuthentication is set to true (default).

Field Summary

Fields

Modifier and Type	Field	Description
protected org.apache.commons.logging.Log	logger

Constructor Summary

Constructors

Constructor	Description
SecurityContextLogoutHandler()

Method Summary

Modifier and Type	Method	Description
boolean	isInvalidateHttpSession()
void	logout(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Authentication authentication)	Requires the request to be passed in.
void	setClearAuthentication(boolean clearAuthentication)	If true, removes the Authentication from the SecurityContext to prevent issues with concurrent requests.
void	setInvalidateHttpSession(boolean invalidateHttpSession)	Causes the HttpSession to be invalidated when this LogoutHandler is invoked.
void	setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy)	Sets the SecurityContextHolderStrategy to use.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

logger

protected final org.apache.commons.logging.Log logger

Constructor Detail

SecurityContextLogoutHandler

public SecurityContextLogoutHandler()

Method Detail

logout

public void logout(javax.servlet.http.HttpServletRequest request,
                   javax.servlet.http.HttpServletResponse response,
                   Authentication authentication)

Requires the request to be passed in.

Specified by:

logout in interface LogoutHandler

Parameters:

request - from which to obtain a HTTP session (cannot be null)

response - not used (can be null)

authentication - not used (can be null)

isInvalidateHttpSession

public boolean isInvalidateHttpSession()

setSecurityContextHolderStrategy

public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy)

Sets the SecurityContextHolderStrategy to use. The default action is to use the SecurityContextHolderStrategy stored in SecurityContextHolder.

Since:

5.8

setInvalidateHttpSession

public void setInvalidateHttpSession(boolean invalidateHttpSession)

Causes the HttpSession to be invalidated when this LogoutHandler is invoked. Defaults to true.

Parameters:

invalidateHttpSession - true if you wish the session to be invalidated (default) or false if it should not be.

setClearAuthentication

public void setClearAuthentication(boolean clearAuthentication)

If true, removes the Authentication from the SecurityContext to prevent issues with concurrent requests.

Parameters:

clearAuthentication - true if you wish to clear the Authentication from the SecurityContext (default) or false if the Authentication should not be removed.