In our application we are using Spring Security 3.0. The issue is after logging out from the application if i access the application by changing the url getting null pointer exception. This is happening only to those url's which iam not authenticating in Spring Security. Why am i allowed to access the Url after session expired? Spring should first check if session is valid then forward me to the request. Below are the filters i configured
If you are using Spring Security 3.0 Why do you have all those Spring Security beans defined. That is about 300 lines of xml that you don't need. That you get with just <security:http> tag in the security namespace. Much shorter than 300 lines of xml.
On clicking of the Logout link in my application URL with URl /j_spring_security_logout which invalidates session in SecurityContextLogoutHandler and redirects to the service as in the constructor. Our expected behaviour is that the CAS must log itself out ,invalidate session both in CAS and application and redirect to the service configured as above.
What actually happens is that i am getting the service URL getting called but CAS is not creating the ST for the valid user i give at THIS point of time in the CAS login page.