DuyHai's Java Blog

Spring Security part II : SecurityContextPersistentFilter & LogoutFilter

Advertisements

In this post we’ll dig into the details of SecurityContextPersistentFilter & LogoutFilter configuration.

III SecurityContextPersistentFilter

The name is quite explicit. The SecurityContextPersistentFilter interface purpose is to store the security context in some repository.

To achieve this task, the filter delegates the job to a SecurityContextRepository interface.

Spring provides a default implementation for this interface: org.springframework.security.web.context.HttpSessionSecurityContextRepository. This is quite self-explanatory. The repository for the security context is simply the current user HTTP session.

Below is the XML configuration for the SecurityContextPersistentFilter



<!-- Filter to store the Authentication object in the HTTP Session -->	
<bean id="securityContextPersistentFilter" 
	class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
	<property name="securityContextRepository" ref="securityContextRepository" />
</bean>
	
	
<bean id="securityContextRepository" 
	class="org.springframework.security.web.context.HttpSessionSecurityContextRepository" />

IV LogoutFilter

The LogoutFilter is in charge of logging out the current user and invalidating the security context. The task of invalidating the HTTP session is again delegated to another actor, the SecurityContextLogoutHandler.

This handler is injected in the LogoutFilter constructor:


<bean id="logoutFilter" 
	class="org.springframework.security.web.authentication.logout.LogoutFilter">
	<constructor-arg value="/pages/Security/logout.html" />
	<constructor-arg>
		<list>
			<bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/>
		</list>
	</constructor-arg>
	<property name="filterProcessesUrl" value="/j_myApplication_logout"/>
</bean>

At line 3, we define the URL of the logout page.
The SecurityContextLogoutHandler is injected as constructor argument at line 6.
The HTML URL for the logout action is define by the filterProcessesUrl parameter at line 9.


<a id="logout_link_id" class="logout-text" 
	href="/myApplication/j_myApplication_logout">Logout</a>	

to be continued…

Part I : Configuration & Security Chain

Advertisements