Spring Security - After logout able to access application through url

Hi All,

In our application we are using Spring Security 3.0. The issue is after logging out from the application if i access the application by changing the url getting null pointer exception. This is happening only to those url's which iam not authenticating in Spring Security. Why am i allowed to access the Url after session expired? Spring should first check if session is valid then forward me to the request. Below are the filters i configured

<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy"> <constructor-arg> <list> <security:filter-chain pattern="/*.htm**" filters="httpSessionContextIntegrationFilter, logOutFilter, formAuthenticationProcessingFilter, exceptionTranslationFilter, filterSecurityInterceptor" /> </list> </constructor-arg> </bean> <bean id="httpSessionContextIntegrationFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter"> </bean> <bean id="logOutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter"> <constructor-arg value="/"/> <constructor-arg> <bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/> </constructor-arg> <property name="filterProcessesUrl" value="/spring_logout.htm"/> </bean> <bean id="formAuthenticationProcessingFilter" class="com.ifs.csp.security.CustomeAuthenticationProcessingFilter"> <property name="filterProcessesUrl"> <value>/j_spring_security_check.htm</value> </property> <property name="authenticationFailureHandler"> <ref bean="failureHandler"></ref> </property> <property name="authenticationManager"> <ref bean="authenticationManager" /> </property> <property name="usernameParameter" value="strUserId"> </property> <property name="passwordParameter" value="strPassword"> </property> . . . . . . . </bean>

Its resolved...thanks....issue was with url mismatch

If you are using Spring Security 3.0 Why do you have all those Spring Security beans defined. That is about 300 lines of xml that you don't need. That you get with just <security:http> tag in the security namespace. Much shorter than 300 lines of xml.

Mark

Hi,

I have a problem with my Logout functionality in my application which using CAS integrated with Spring security. My spring configuration is as below:

<bean id="logoutFilter" class="org.springframework.security.web.authentica tion.logout.LogoutFilter">
<!-- URL redirected to after logout success -->
<constructor-arg value="https://casURL/cas-server-webapp-3.5.1/logout?service=applnURL"/>

<constructor-arg>
<list>
<bean class="org.springframework.security.web.authentica tion.logout.SecurityContextLogoutHandler"/>
<bean class="com.blah.blah.sso.logout.CustomLogoutHandle r"/>
</list>
</constructor-arg>
</bean>

On clicking of the Logout link in my application URL with URl /j_spring_security_logout which invalidates session in SecurityContextLogoutHandler and redirects to the service as in the constructor. Our expected behaviour is that the CAS must log itself out ,invalidate session both in CAS and application and redirect to the service configured as above.

What actually happens is that i am getting the service URL getting called but CAS is not creating the ST for the valid user i give at THIS point of time in the CAS login page.

Any help please.

Thanks,
Mckenzie

This thread has already been marked as resolved. Please start new threads for new questions.