Hi All,
We are using spring-security 3.1.2. The issue is, when someone is logged-in and trying to get something (assume it's a heavy request and taking a lot of time to serve), meanwhile if he does log out from another tab. When the original request is served, after that he is able to use the application as if he is logged into the application.
I debugged it and found that problem lies with the
thread local implementation of SecurityContextHolderStrategy (ThreadLocalSecurityContextHolderStrategy).
So basically if the user log out, his logged-in session is invalidated, but when the original request is served, a new session is created and spring security populates the securityContext from ThreadLocalSecurityContextHolderStrategy into the new session.
Please help, are we doing something wrong, or do we need to write custom SecurityContextHolderStrategy implementation?
Thanks for any help.