Spring Security: Redirect to invalid-session-url instead of logout-success-url on successful logout

Question

Hi, I have implemented a login-logout system with Spring Security 3.0.2, everything is fine but for this one thing: after I added a session-management tag with invalid-session-url attribute, on logout Spring would always redirect me on the invalid-session-url instead of the logout-success-url (which it correctly did before).

Is there a way to avoid this behaviour?

This is my configuration:

<http use-expressions="true" auto-config="true">
        [...some intercept-url's...]

    <form-login login-page="/login" authentication-failure-url="/login?error=true"
            login-processing-url="/login-submit" default-target-url="/home"
            always-use-default-target="true" />

    <logout logout-success-url="/home?logout=true" logout-url="/login-logout" />

    <session-management invalid-session-url="/home?invalid=true" />
</http>

Thanks a lot.

Answer 1

Do not confuse the logout-url attribute in the logout tag with the invalid-session-url attribute from session-management.

The latter is the URL to execute the action of logging out while the former is the URL being forwarded to upon a logout action.

To put it in other words, when creating a logout button, the URL for that button would be the logout-url value. Now when the logout is done, spring security, be default, will render the main application's root app path, i.e.: http://yourserver:yourport/yourwebapp/. This path is overridden by invalid-session-url. So upon logout, you will be forwarded there.

To sum up, if you don't want the behavior you're asking for, then do not use invalid-session-url attribute. Hope that helps.