{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 别忘想泡老子 的问题《Spring Security: Redirect to invalid-session-url i》','https://www.manongdao.com/q-195777.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have implemented a login-logout system with Spring Security 3.0.2, everything is fine but for this one thing: after I added a session-management tag with invalid-session-url attribute, on logout Spring would always redirect me on the invalid-session-url instead of the logout-success-url (which it correctly did before).
Is there a way to avoid this behaviour?
This is my configuration:
<http use-expressions="true" auto-config="true">
[...some intercept-url's...]
<form-login login-page="/login" authentication-failure-url="/login?error=true"
login-processing-url="/login-submit" default-target-url="/home"
always-use-default-target="true" />
<logout logout-success-url="/home?logout=true" logout-url="/login-logout" />
<session-management invalid-session-url="/home?invalid=true" />
</http>
Thanks a lot.
By default, the logout process will first invalidate the session, hence triggering the session management to redirect to the invalid session page. By specifying invalidate-session="false" will fix this behavior.
Do not confuse the logout-url attribute in the logout tag with the
invalid-session-urlattribute from session-management.The latter is the URL to execute the action of logging out while the former is the URL being forwarded to upon a logout action.
To put it in other words, when creating a logout button, the URL for that button would be the
logout-urlvalue. Now when the logout is done, spring security, be default, will render the main application's root app path, i.e.:http://yourserver:yourport/yourwebapp/. This path is overridden byinvalid-session-url. So upon logout, you will be forwarded there.To sum up, if you don't want the behavior you're asking for, then do not use
invalid-session-urlattribute. Hope that helps.