1
votes

Lets say my logout URL is: app/logout. I need to show a message - "You are succesfully logged out" in logout page only when logout was triggred by clikcing the logout button.
The message should not be displayed if the user enters this URL directly. Any idea how to implement this?

Controller:

@RequestMapping(value ="/logout", method = RequestMethod.GET)
    public ModelAndView logout(HttpServletRequest request, HttpServletResponse response) {
            ModelAndView model = new ModelAndView();
       //some code here to distingish
            model.addObject("msg", "You are succesfully logged out!");
            model.setViewName("login");
        return model;
    }

Spring-Security.xml:

http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd">

<http auto-config="true" create-session="ifRequired" use-expressions="true">        
<intercept-url pattern="/logout" access="IS_AUTHENTICATED_REMEMBERED"/>
    <form-login 
        login-page="/login" 
        default-target-url="/home" 
        authentication-failure-url="/login?error" 
        username-parameter="username"
        password-parameter="password" />
    <logout logout-success-url="/logout" invalidate-session="true" delete-cookies="JSESSIONID"/>
    <!-- enable csrf protection -->
    <csrf/>
</http>

<authentication-manager>
    <authentication-provider>
        <user-service>
            <user name="mkyong" password="123456" authorities="ROLE_USER" />
        </user-service>
    </authentication-provider>
</authentication-manager>

2

2 Answers

1
votes

As it is for Spring Security, I think that the simplest way is to use spring security to restrict /logout to authenticated users.

Using the namespace it would be :

<intercept-url pattern="/logout" access="IS_AUTHENTICATED_REMEMBERED"/>

Using Java configuration, it would be :

protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
            .antMatchers("/logout").authenticated()
            ...
}
0
votes

Add @RequestParam(value = "foo", required = false) Boolean foo

Add this additional parameter to logout button, if foo exist and is true do your logic