Example 1 with SecurityContextLogoutHandler
use of org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler in project ORCID-Source by ORCID.
the class BaseController method logoutCurrentUser.
protected void logoutCurrentUser(HttpServletRequest request, HttpServletResponse response) {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if (internalSSOManager.enableCookie()) {
Cookie[] cookies = request.getCookies();
// Delete cookie and token associated with that cookie
if (cookies != null) {
for (Cookie cookie : cookies) {
if (InternalSSOManager.COOKIE_NAME.equals(cookie.getName())) {
try {
// If it is a valid cookie, extract the orcid value
// and
// remove the token and the cookie
@SuppressWarnings("unchecked") HashMap<String, String> cookieValues = JsonUtils.readObjectFromJsonString(cookie.getValue(), HashMap.class);
if (cookieValues.containsKey(InternalSSOManager.COOKIE_KEY_ORCID) && !PojoUtil.isEmpty(cookieValues.get(InternalSSOManager.COOKIE_KEY_ORCID))) {
internalSSOManager.deleteToken(cookieValues.get(InternalSSOManager.COOKIE_KEY_ORCID), request, response);
} else {
// If it is not valid, just remove the cookie
cookie.setValue(StringUtils.EMPTY);
cookie.setMaxAge(0);
response.addCookie(cookie);
}
} catch (RuntimeException re) {
// If any exception happens, but, the cookie exists,
// remove the cookie
cookie.setValue(StringUtils.EMPTY);
cookie.setMaxAge(0);
response.addCookie(cookie);
}
break;
}
}
}
// Delete token if exists
if (authentication != null && !PojoUtil.isEmpty(authentication.getName())) {
internalSSOManager.deleteToken(authentication.getName());
}
}
if (authentication != null && authentication.isAuthenticated()) {
new SecurityContextLogoutHandler().logout(request, response, authentication);
}
CsrfToken token = csrfTokenRepository.generateToken(request);
csrfTokenRepository.saveToken(token, request, response);
request.setAttribute("_csrf", token);
}
Also used :
Cookie(javax.servlet.http.Cookie)
SecurityContextLogoutHandler(org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler)
Authentication(org.springframework.security.core.Authentication)
CsrfToken(org.springframework.security.web.csrf.CsrfToken)
Example 2 with SecurityContextLogoutHandler
use of org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler in project spring-security by spring-projects.
the class ConcurrentSessionFilterTests method detectsExpiredSessions.
@Test
public void detectsExpiredSessions() throws Exception {
// Setup our HTTP request
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpSession session = new MockHttpSession();
request.setSession(session);
MockHttpServletResponse response = new MockHttpServletResponse();
SessionRegistry registry = new SessionRegistryImpl();
registry.registerNewSession(session.getId(), "principal");
registry.getSessionInformation(session.getId()).expireNow();
// Setup our test fixture and registry to want this session to be expired
SimpleRedirectSessionInformationExpiredStrategy expiredSessionStrategy = new SimpleRedirectSessionInformationExpiredStrategy("/expired.jsp");
ConcurrentSessionFilter filter = new ConcurrentSessionFilter(registry, expiredSessionStrategy);
filter.setLogoutHandlers(new LogoutHandler[] { new SecurityContextLogoutHandler() });
filter.afterPropertiesSet();
FilterChain fc = mock(FilterChain.class);
filter.doFilter(request, response, fc);
// Expect that the filter chain will not be invoked, as we redirect to expiredUrl
verifyZeroInteractions(fc);
assertThat(response.getRedirectedUrl()).isEqualTo("/expired.jsp");
}
Also used :
SecurityContextLogoutHandler(org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler)
SimpleRedirectSessionInformationExpiredStrategy(org.springframework.security.web.session.SimpleRedirectSessionInformationExpiredStrategy)
SessionRegistry(org.springframework.security.core.session.SessionRegistry)
MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest)
SessionRegistryImpl(org.springframework.security.core.session.SessionRegistryImpl)
FilterChain(javax.servlet.FilterChain)
MockFilterChain(org.springframework.mock.web.MockFilterChain)
MockHttpSession(org.springframework.mock.web.MockHttpSession)
ConcurrentSessionFilter(org.springframework.security.web.session.ConcurrentSessionFilter)
MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse)
Test(org.junit.Test)
Aggregations
SecurityContextLogoutHandler (org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler)2
FilterChain (javax.servlet.FilterChain)1
Cookie (javax.servlet.http.Cookie)1
Test (org.junit.Test)1
MockFilterChain (org.springframework.mock.web.MockFilterChain)1
MockHttpServletRequest (org.springframework.mock.web.MockHttpServletRequest)1
MockHttpServletResponse (org.springframework.mock.web.MockHttpServletResponse)1
MockHttpSession (org.springframework.mock.web.MockHttpSession)1
Authentication (org.springframework.security.core.Authentication)1
SessionRegistry (org.springframework.security.core.session.SessionRegistry)1
SessionRegistryImpl (org.springframework.security.core.session.SessionRegistryImpl)1
CsrfToken (org.springframework.security.web.csrf.CsrfToken)1
ConcurrentSessionFilter (org.springframework.security.web.session.ConcurrentSessionFilter)1
SimpleRedirectSessionInformationExpiredStrategy (org.springframework.security.web.session.SimpleRedirectSessionInformationExpiredStrategy)1
