Spring Security Logout session is not invalidated -


i tried find on stackoverflow , elsewhere make working , still not work. using spring framework 4.1.6.release, spring security 4.0.0.release. configured namespace logout tag , way able invalidate session doing programmatically in controller httpsession.invalidate() call.

when requesting logout, redirected appropriate page, session never invalidated , jsessionid not deleted. , no not cache effect. tried fine cache suggestions , having @preauthorize annotations , user must authenticated call them , can call them if logs out. way invalidate session enter bad username/password in login panel redirected , refused authentication. @ point, session destroyed.

i out of ideas , hints.

here security-applicationcontext.xml

<?xml version="1.0" encoding="utf-8"?> <b:beans xmlns:b="http://www.springframework.org/schema/beans"     xmlns:xsi="http://www.w3.org/2001/xmlschema-instance"     xmlns="http://www.springframework.org/schema/security"     xmlns:oauth="http://www.springframework.org/schema/security/oauth"     xsi:schemalocation="http://www.springframework.org/schema/security     http://www.springframework.org/schema/security/spring-security-4.0.xsd     http://www.springframework.org/schema/security/oauth     http://www.springframework.org/schema/security/spring-security-oauth.xsd     http://www.springframework.org/schema/beans     http://www.springframework.org/schema/beans/spring-beans-4.1.xsd">  <!-- --> <b:bean id="securityexpressionhandler" class="org.springframework.security.access.expression.method.defaultmethodsecurityexpressionhandler" >     <b:property name="defaultroleprefix" value="role_" /> </b:bean> <b:bean id="preinvocationadvice" class="org.springframework.security.access.expression.method.expressionbasedpreinvocationadvice" >     <b:property name="expressionhandler" ref="securityexpressionhandler" /> </b:bean> <b:bean id="postinvocationadvice" class="org.springframework.security.access.expression.method.expressionbasedpostinvocationadvice" >     <b:constructor-arg ref="securityexpressionhandler" /> </b:bean> <b:bean id="myrolevoter" class="org.springframework.security.access.vote.rolevoter">     <b:property name="roleprefix" value="role_" /> </b:bean> <!-- -->  <!-- configuration de l'accès et du formulaire --> <!-- permettre l'accès libre aux feuilles de style, polices et images --> <http pattern='/resources/css/**' security="none" /> <http pattern='/resources/fonts/**' security="none" /> <http pattern='/resources/images/**' security="none" /> <http pattern='/resources/js/**' security="none" />  <http use-expressions="true" disable-url-rewriting="true">      <!-- limitation à une seule session utilisateur concurrente -->     <session-management invalid-session-url="/identite?session_invalide=1"         session-authentication-error-url="/identite?identite_err=1">         <concurrency-control max-sessions="1"             expired-url="/identite?expiree=1" />     </session-management>      <!-- définitions pour le formulaire de la page jsp d'identification -->     <form-login login-page="/identite" login-processing-url="/identite.proc" default-target-url="/" always-use-default-target="true" authentication-failure-url="/identite?identite_err=1" username-parameter="username" password-parameter="password" />     <csrf disabled="false" />      <logout logout-url="/deconnexion"         logout-success-url="/identite?termine=1"         delete-cookies="jsessionid" invalidate-session="true"          />      <!-- utiliser un canal chiffré pour les échanges -->     <intercept-url requires-channel="https" pattern="/identite*" access="permitall()" />     <intercept-url requires-channel="https" pattern="/deconnexion*" access="permitall()" />     <intercept-url requires-channel="https" pattern="/logout*" access="permitall()" />     <intercept-url requires-channel="https" pattern="/action*" access="hasrole('role_admin') or hasrole('role_support')" />     <intercept-url requires-channel="https" pattern="/causes*" access="hasrole('role_admin')" />     <intercept-url requires-channel="https" pattern="/telechargement*" access="hasrole('role_user') or hasrole('role_admin')" />     <intercept-url requires-channel="https" pattern="/**" access="isauthenticated()" />     <access-denied-handler error-page="/erreur403" /> </http>  <!-- fournisseurs d'identité pour le formulaire --> <authentication-manager erase-credentials="true">     <authentication-provider ref="monfournisseurad" /> </authentication-manager> <b:bean id="grantedauthoritiesmapper" class="com.company.gisti.securite.ad.activedirectorygrantedauthoritiesmapper">     <b:description>cette fève (bean) met en place la correspondance entre les groupes ad/ldap et les rôles au niveau applicatif.</b:description>     <b:property name="groupesadministrateur">         <b:description>ensemble de noms de groupes dans ad/ldap indiquant que l'usager un rôle d'administrateur pour cette application.</b:description>         <b:set value-type="java.lang.string">             <b:value>secrole-support-ddmi</b:value>         </b:set>     </b:property>     <b:property name="groupessupport">         <b:description>ensemble de noms de groupes dans ad/ldap indiquant que l'usager un rôle d'usager de support pour cette application.</b:description>         <b:set value-type="java.lang.string">             <b:value>secrole-support-hpsm</b:value>             <b:value>secrole-adminsystemehpucmdb</b:value>         </b:set>     </b:property>     <b:property name="groupesusager">         <b:description>ensemble de noms de groupes dans ad/ldap indiquant que l'usager un rôle d'utilisateur simple pour cette application. </b:description>         <b:set value-type="java.lang.string">             <b:value>secrole-utilisateurs-hpam</b:value>         </b:set>     </b:property> </b:bean>  <!-- identification par active directory --> <b:bean id="monfournisseurad" class="org.springframework.security.ldap.authentication.ad.activedirectoryldapauthenticationprovider">     <b:constructor-arg value="campus.company.com" />                <!-- userprincipalname de la forme username@campus... -->     <b:constructor-arg value="ldap://fsapps.company.uni:389/" />    <!-- comment rejoindre le serveur -->     <b:constructor-arg value="dc=fsapps,dc=company,dc=uni" />   <!-- baseobject -->     <b:property name="searchfilter" value="(&amp;(userprincipalname={0})(objectclass=user))" />     <b:property name="userdetailscontextmapper">         <b:bean class="org.springframework.security.ldap.userdetails.inetorgpersoncontextmapper" />     </b:property>     <b:property name="authoritiesmapper" ref="grantedauthoritiesmapper" />     <b:property name="convertsuberrorcodestoexceptions" value="true" /> </b:bean>  <b:bean id="securitycontextpersistencefilter" class="org.springframework.security.web.context.securitycontextpersistencefilter" /> <b:bean id="mydeconnexionhandler" class="com.company.gisti.web.app.deconnexionhandler" />  </b:beans> 

and here mvc-applicationcontext.xml

<beans xmlns="http://www.springframework.org/schema/beans" xmlns:security="http://www.springframework.org/schema/security" xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:context="http://www.springframework.org/schema/context" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance" xsi:schemalocation="     http://www.springframework.org/schema/beans          http://www.springframework.org/schema/beans/spring-beans-4.1.xsd     http://www.springframework.org/schema/mvc      http://www.springframework.org/schema/mvc/spring-mvc-4.1.xsd     http://www.springframework.org/schema/context      http://www.springframework.org/schema/context/spring-context-4.1.xsd     http://www.springframework.org/schema/security     http://www.springframework.org/schema/security/spring-security-4.0.xsd">  <security:global-method-security pre-post-annotations="enabled" secured-annotations="enabled" /> <context:annotation-config /> <mvc:resources mapping="/resources/**" location="/resources/theme_desjardins/" /> <mvc:annotation-driven /><mvc:interceptors> <mvc:interceptor>     <mvc:mapping path="/**" />     <bean class="org.springframework.web.servlet.mvc.webcontentinterceptor">         <property name="cacheseconds" value="0"></property>         <property name="useexpiresheader" value="true"></property>         <property name="usecachecontrolheader" value="true"></property>         <property name="usecachecontrolnostore" value="true"></property></bean> </mvc:interceptor></mvc:interceptors>  <bean class="org.springframework.web.servlet.view.internalresourceviewresolver">     <property name="prefix" value="/web-inf/pages/" />     <property name="suffix" value=".jsp" /> </bean>  <context:component-scan base-package="com.company.gisti.web.app" />  </beans> 

in security xml file, there logout success handler defined, not use in configuration, tried 1 , never called. can implement logouthandler, @ point equivalent invalidate session doing servlet controller.


update 2015-04-23 11:06:00 edt

my problem logout url access via method instead of post should have been givin csrf protection enabled. corrected part , session invalidated. thing still not work redirection login page. btw, logout url /deconnexion , login url /identite. so, session invalidated , kept on same page background processes not longer authorized expected since no longer authentified access server. need click on unauthorized url page refreshed due accessdeniedexception. in following log, not giving complete result clicking on such url, url /causes in log. lead exception redirect login page. first 2 lines in log refer login , page loading completed successfully, logout initiated.

2015-04-23 11:01:40,040 debug (o.s.w.s.frameworkservlet.processrequest) [http-8443-1] completed request mdc{} 2015-04-23 11:01:40,040 debug (o.s.s.w.a.exceptiontranslationfilter.dofilter) [http-8443-1] chain processed mdc{} 2015-04-23 11:01:40,040 debug (o.s.s.w.c.securitycontextpersistencefilter.dofilter) [http-8443-1] securitycontextholder cleared, request processing completed mdc{} 2015-04-23 11:01:43,020 debug (o.s.s.w.u.m.antpathrequestmatcher.matches) [http-8443-2] checking match of request : '/deconnexion'; against '/resources/css/**' mdc{} 2015-04-23 11:01:43,020 debug (o.s.s.w.u.m.antpathrequestmatcher.matches) [http-8443-2] checking match of request : '/deconnexion'; against '/resources/fonts/**' mdc{} 2015-04-23 11:01:43,020 debug (o.s.s.w.u.m.antpathrequestmatcher.matches) [http-8443-2] checking match of request : '/deconnexion'; against '/resources/images/**' mdc{} 2015-04-23 11:01:43,020 debug (o.s.s.w.u.m.antpathrequestmatcher.matches) [http-8443-2] checking match of request : '/deconnexion'; against '/resources/js/**' mdc{} 2015-04-23 11:01:43,020 debug (o.s.s.w.filterchainproxy$virtualfilterchain.dofilter) [http-8443-2] /deconnexion @ position 1 of 13 in additional filter chain; firing filter: 'channelprocessingfilter' mdc{} 2015-04-23 11:01:43,020 debug (o.s.s.w.u.m.antpathrequestmatcher.matches) [http-8443-2] checking match of request : '/deconnexion'; against '/identite*' mdc{} 2015-04-23 11:01:43,020 debug (o.s.s.w.u.m.antpathrequestmatcher.matches) [http-8443-2] checking match of request : '/deconnexion'; against '/deconnexion*' mdc{} 2015-04-23 11:01:43,020 debug (o.s.s.w.a.c.channelprocessingfilter.dofilter) [http-8443-2] request: filterinvocation: url: /deconnexion; configattributes: [requires_secure_channel] mdc{} 2015-04-23 11:01:43,020 debug (o.s.s.w.filterchainproxy$virtualfilterchain.dofilter) [http-8443-2] /deconnexion @ position 2 of 13 in additional filter chain; firing filter: 'securitycontextpersistencefilter' mdc{} 2015-04-23 11:01:43,020 debug (o.s.s.w.c.httpsessionsecuritycontextrepository.readsecuritycontextfromsession) [http-8443-2] obtained valid securitycontext spring_security_context: 'org.springframework.security.core.context.securitycontextimpl@49e898d4: authentication: org.springframework.security.authentication.usernamepasswordauthenticationtoken@49e898d4: principal: org.springframework.security.ldap.userdetails.inetorgperson@644dcdae: dn: cn=myusername,ou=utilisateurs,dc=fsapps,dc=company,dc=uni; username: myusername; password: [protected]; enabled: true; accountnonexpired: true; credentialsnonexpired: true; accountnonlocked: true; granted authorities: secrole-support-ddmi, secrole-utilisateurs-hpam; credentials: [protected]; authenticated: true; details: org.springframework.security.web.authentication.webauthenticationdetails@fffe3f86: remoteipaddress: 127.0.0.1; sessionid: 783c021534873ebdfccd914f8b7f1c8c; granted authorities: role_admin, role_user, role_support' mdc{} 2015-04-23 11:01:43,020 debug (o.s.s.w.filterchainproxy$virtualfilterchain.dofilter) [http-8443-2] /deconnexion @ position 3 of 13 in additional filter chain; firing filter: 'concurrentsessionfilter' mdc{} 2015-04-23 11:01:43,020 debug (o.s.s.w.filterchainproxy$virtualfilterchain.dofilter) [http-8443-2] /deconnexion @ position 4 of 13 in additional filter chain; firing filter: 'headerwriterfilter' mdc{} 2015-04-23 11:01:43,035 debug (o.s.s.w.filterchainproxy$virtualfilterchain.dofilter) [http-8443-2] /deconnexion @ position 5 of 13 in additional filter chain; firing filter: 'csrffilter' mdc{} 2015-04-23 11:01:43,035 debug (o.s.s.w.filterchainproxy$virtualfilterchain.dofilter) [http-8443-2] /deconnexion @ position 6 of 13 in additional filter chain; firing filter: 'logoutfilter' mdc{} 2015-04-23 11:01:43,035 debug (o.s.s.w.u.m.antpathrequestmatcher.matches) [http-8443-2] checking match of request : '/deconnexion'; against '/deconnexion' mdc{} 2015-04-23 11:01:43,035 debug (o.s.s.w.a.l.logoutfilter.dofilter) [http-8443-2] logging out user 'org.springframework.security.authentication.usernamepasswordauthenticationtoken@49e898d4: principal: org.springframework.security.ldap.userdetails.inetorgperson@644dcdae: dn: cn=myusername,ou=utilisateurs,dc=fsapps,dc=company,dc=uni; username: myusername; password: [protected]; enabled: true; accountnonexpired: true; credentialsnonexpired: true; accountnonlocked: true; granted authorities: secrole-support-ddmi, secrole-utilisateurs-hpam; credentials: [protected]; authenticated: true; details: org.springframework.security.web.authentication.webauthenticationdetails@fffe3f86: remoteipaddress: 127.0.0.1; sessionid: 783c021534873ebdfccd914f8b7f1c8c; granted authorities: role_admin, role_user, role_support' , transferring logout destination mdc{} 2015-04-23 11:01:43,035 debug (o.s.s.w.a.l.securitycontextlogouthandler.logout) [http-8443-2] invalidating session: 444589e454c7cdf3c9dbfc62e8ca0541 mdc{} 2015-04-23 11:01:43,035 debug (o.s.s.w.s.httpsessioneventpublisher.sessiondestroyed) [http-8443-2] publishing event: org.springframework.security.web.session.httpsessiondestroyedevent[source=org.apache.catalina.session.standardsessionfacade@565f0e7d] mdc{} 2015-04-23 11:01:43,035 debug (o.s.s.c.s.sessionregistryimpl.removesessioninformation) [http-8443-2] removing session 444589e454c7cdf3c9dbfc62e8ca0541 principal's set of registered sessions mdc{} 2015-04-23 11:01:43,035 debug (o.s.s.c.s.sessionregistryimpl.removesessioninformation) [http-8443-2] removing principal org.springframework.security.ldap.userdetails.inetorgperson@644dcdae: dn: cn=myusername,ou=utilisateurs,dc=fsapps,dc=company,dc=uni; username: myusername; password: [protected]; enabled: true; accountnonexpired: true; credentialsnonexpired: true; accountnonlocked: true; granted authorities: secrole-support-ddmi, secrole-utilisateurs-hpam registry mdc{} 2015-04-23 11:01:43,035 debug (o.s.s.w.a.abstractauthenticationtargeturlrequesthandler.determinetargeturl) [http-8443-2] using default url: /identite mdc{} 2015-04-23 11:01:43,035 debug (o.s.s.w.defaultredirectstrategy.sendredirect) [http-8443-2] redirecting '/caissesdispo/identite' mdc{} 2015-04-23 11:01:43,035 debug (o.s.s.w.c.httpsessionsecuritycontextrepository$savetosessionresponsewrapper.savecontext) [http-8443-2] securitycontext empty or contents anonymous - context not stored in httpsession. mdc{} 2015-04-23 11:01:43,035 debug (o.s.s.w.c.securitycontextpersistencefilter.dofilter) [http-8443-2] securitycontextholder cleared, request processing completed mdc{} 2015-04-23 11:01:43,035 debug (o.s.s.w.u.m.antpathrequestmatcher.matches) [http-8443-2] checking match of request : '/identite'; against '/resources/css/**' mdc{} 2015-04-23 11:01:43,035 debug (o.s.s.w.u.m.antpathrequestmatcher.matches) [http-8443-2] checking match of request : '/identite'; against '/resources/fonts/**' mdc{} 2015-04-23 11:01:43,035 debug (o.s.s.w.u.m.antpathrequestmatcher.matches) [http-8443-2] checking match of request : '/identite'; against '/resources/images/**' mdc{} 2015-04-23 11:01:43,035 debug (o.s.s.w.u.m.antpathrequestmatcher.matches) [http-8443-2] checking match of request : '/identite'; against '/resources/js/**' mdc{} 2015-04-23 11:01:43,035 debug (o.s.s.w.filterchainproxy$virtualfilterchain.dofilter) [http-8443-2] /identite @ position 1 of 13 in additional filter chain; firing filter: 'channelprocessingfilter' mdc{} 2015-04-23 11:01:43,035 debug (o.s.s.w.u.m.antpathrequestmatcher.matches) [http-8443-2] checking match of request : '/identite'; against '/identite*' mdc{} 2015-04-23 11:01:43,035 debug (o.s.s.w.a.c.channelprocessingfilter.dofilter) [http-8443-2] request: filterinvocation: url: /identite; configattributes: [requires_secure_channel] mdc{} 2015-04-23 11:01:43,035 debug (o.s.s.w.filterchainproxy$virtualfilterchain.dofilter) [http-8443-2] /identite @ position 2 of 13 in additional filter chain; firing filter: 'securitycontextpersistencefilter' mdc{} 2015-04-23 11:01:43,035 debug (o.s.s.w.c.httpsessionsecuritycontextrepository.readsecuritycontextfromsession) [http-8443-2] no httpsession exists mdc{} 2015-04-23 11:01:43,035 debug (o.s.s.w.c.httpsessionsecuritycontextrepository.loadcontext) [http-8443-2] no securitycontext available httpsession: null. new 1 created. mdc{} 2015-04-23 11:01:43,051 debug (o.s.s.w.filterchainproxy$virtualfilterchain.dofilter) [http-8443-2] /identite @ position 3 of 13 in additional filter chain; firing filter: 'concurrentsessionfilter' mdc{} 2015-04-23 11:01:43,051 debug (o.s.s.w.filterchainproxy$virtualfilterchain.dofilter) [http-8443-2] /identite @ position 4 of 13 in additional filter chain; firing filter: 'headerwriterfilter' mdc{} 2015-04-23 11:01:43,052 debug (o.s.s.w.filterchainproxy$virtualfilterchain.dofilter) [http-8443-2] /identite @ position 5 of 13 in additional filter chain; firing filter: 'csrffilter' mdc{} 2015-04-23 11:01:43,052 debug (o.s.s.w.filterchainproxy$virtualfilterchain.dofilter) [http-8443-2] /identite @ position 6 of 13 in additional filter chain; firing filter: 'logoutfilter' mdc{} 2015-04-23 11:01:43,052 debug (o.s.s.w.u.m.antpathrequestmatcher.matches) [http-8443-2] request 'get /identite' doesn't match 'post /deconnexion mdc{} 2015-04-23 11:01:43,052 debug (o.s.s.w.filterchainproxy$virtualfilterchain.dofilter) [http-8443-2] /identite @ position 7 of 13 in additional filter chain; firing filter: 'usernamepasswordauthenticationfilter' mdc{} 2015-04-23 11:01:43,052 debug (o.s.s.w.u.m.antpathrequestmatcher.matches) [http-8443-2] request 'get /identite' doesn't match 'post /identite.proc mdc{} 2015-04-23 11:01:43,052 debug (o.s.s.w.filterchainproxy$virtualfilterchain.dofilter) [http-8443-2] /identite @ position 8 of 13 in additional filter chain; firing filter: 'requestcacheawarefilter' mdc{} 2015-04-23 11:01:43,052 debug (o.s.s.w.filterchainproxy$virtualfilterchain.dofilter) [http-8443-2] /identite @ position 9 of 13 in additional filter chain; firing filter: 'securitycontextholderawarerequestfilter' mdc{} 2015-04-23 11:01:43,052 debug (o.s.s.w.filterchainproxy$virtualfilterchain.dofilter) [http-8443-2] /identite @ position 10 of 13 in additional filter chain; firing filter: 'anonymousauthenticationfilter' mdc{} 2015-04-23 11:01:43,052 debug (o.s.s.w.a.anonymousauthenticationfilter.dofilter) [http-8443-2] populated securitycontextholder anonymous token: 'org.springframework.security.authentication.anonymousauthenticationtoken@9055e4a6: principal: anonymoususer; credentials: [protected]; authenticated: true; details: org.springframework.security.web.authentication.webauthenticationdetails@957e: remoteipaddress: 127.0.0.1; sessionid: null; granted authorities: role_anonymous' mdc{} 2015-04-23 11:01:43,052 debug (o.s.s.w.filterchainproxy$virtualfilterchain.dofilter) [http-8443-2] /identite @ position 11 of 13 in additional filter chain; firing filter: 'sessionmanagementfilter' mdc{} 2015-04-23 11:01:43,052 debug (o.s.s.w.filterchainproxy$virtualfilterchain.dofilter) [http-8443-2] /identite @ position 12 of 13 in additional filter chain; firing filter: 'exceptiontranslationfilter' mdc{} 2015-04-23 11:01:43,052 debug (o.s.s.w.filterchainproxy$virtualfilterchain.dofilter) [http-8443-2] /identite @ position 13 of 13 in additional filter chain; firing filter: 'filtersecurityinterceptor' mdc{} 2015-04-23 11:01:43,052 debug (o.s.s.w.u.m.antpathrequestmatcher.matches) [http-8443-2] checking match of request : '/identite'; against '/identite*' mdc{} 2015-04-23 11:01:43,052 debug (o.s.s.a.i.abstractsecurityinterceptor.beforeinvocation) [http-8443-2] secure object: filterinvocation: url: /identite; attributes: [permitall()] mdc{} 2015-04-23 11:01:43,052 debug (o.s.s.a.i.abstractsecurityinterceptor.authenticateifrequired) [http-8443-2] authenticated: org.springframework.security.authentication.anonymousauthenticationtoken@9055e4a6: principal: anonymoususer; credentials: [protected]; authenticated: true; details: org.springframework.security.web.authentication.webauthenticationdetails@957e: remoteipaddress: 127.0.0.1; sessionid: null; granted authorities: role_anonymous mdc{} 2015-04-23 11:01:43,052 debug (o.s.s.a.v.affirmativebased.decide) [http-8443-2] voter: org.springframework.security.web.access.expression.webexpressionvoter@514ade37, returned: 1 mdc{} 2015-04-23 11:01:43,052 debug (o.s.s.a.i.abstractsecurityinterceptor.beforeinvocation) [http-8443-2] authorization successful mdc{} 2015-04-23 11:01:43,052 debug (o.s.s.a.i.abstractsecurityinterceptor.beforeinvocation) [http-8443-2] runasmanager did not change authentication object mdc{} 2015-04-23 11:01:43,052 debug (o.s.s.w.filterchainproxy$virtualfilterchain.dofilter) [http-8443-2] /identite reached end of additional filter chain; proceeding original chain mdc{} 2015-04-23 11:01:43,052 debug (o.s.w.s.dispatcherservlet.doservice) [http-8443-2] dispatcherservlet name 'mvc-dispatcher' processing request [/caissesdispo/identite] mdc{} 2015-04-23 11:01:43,052 debug (o.s.w.s.h.abstracthandlermethodmapping.gethandlerinternal) [http-8443-2] looking handler method path /identite mdc{} 2015-04-23 11:01:43,052 debug (o.s.w.s.h.abstracthandlermethodmapping.gethandlerinternal) [http-8443-2] returning handler method [public java.lang.string com.company.gisti.web.app.controleuridentite.handleidentitejsp()] mdc{} 2015-04-23 11:01:43,052 debug (o.s.b.f.s.abstractbeanfactory.dogetbean) [http-8443-2] returning cached instance of singleton bean 'controleuridentite' mdc{} 2015-04-23 11:01:43,052 debug (o.s.w.s.dispatcherservlet.dodispatch) [http-8443-2] last-modified value [/caissesdispo/identite] is: -1 mdc{} 2015-04-23 11:01:43,052 debug (o.s.w.s.m.webcontentinterceptor.prehandle) [http-8443-2] looking cache seconds [/identite] mdc{} 2015-04-23 11:01:43,052 debug (o.s.w.s.m.webcontentinterceptor.prehandle) [http-8443-2] applying default cache seconds [/identite] mdc{} 2015-04-23 11:01:43,052 info (c.d.g.w.c.controleuridentite.handleidentitejsp) [http-8443-2] ************************* >>>>>>> redirige vers identite <<<<<<<<<<<<< *************** mdc{} 2015-04-23 11:01:43,052 debug (o.s.w.s.dispatcherservlet.render) [http-8443-2] rendering view [org.springframework.web.servlet.view.jstlview: name 'identite'; url [/web-inf/pages/identite.jsp]] in dispatcherservlet name 'mvc-dispatcher' mdc{} 2015-04-23 11:01:43,052 debug (o.s.b.f.s.abstractbeanfactory.dogetbean) [http-8443-2] returning cached instance of singleton bean 'requestdatavalueprocessor' mdc{} 2015-04-23 11:01:43,052 debug (o.s.w.s.v.internalresourceview.rendermergedoutputmodel) [http-8443-2] forwarding resource [/web-inf/pages/identite.jsp] in internalresourceview 'identite' mdc{} 2015-04-23 11:01:43,052 debug (o.s.s.w.s.httpsessioneventpublisher.sessioncreated) [http-8443-2] publishing event: org.springframework.security.web.session.httpsessioncreatedevent[source=org.apache.catalina.session.standardsessionfacade@27573872] mdc{} 2015-04-23 11:01:43,052 debug (o.s.b.f.s.abstractbeanfactory.dogetbean) [http-8443-2] returning cached instance of singleton bean 'org.springframework.security.access.expression.method.defaultmethodsecurityexpressionhandler#0' mdc{} 2015-04-23 11:01:43,052 debug (o.s.b.f.s.abstractbeanfactory.dogetbean) [http-8443-2] returning cached instance of singleton bean 'securityexpressionhandler' mdc{} 2015-04-23 11:01:43,052 debug (o.s.b.f.s.abstractbeanfactory.dogetbean) [http-8443-2] returning cached instance of singleton bean 'org.springframework.security.web.access.expression.defaultwebsecurityexpressionhandler#0' mdc{} 2015-04-23 11:01:43,052 debug (o.s.b.f.s.abstractbeanfactory.dogetbean) [http-8443-2] returning cached instance of singleton bean 'org.springframework.security.access.expression.method.defaultmethodsecurityexpressionhandler#0' mdc{} 2015-04-23 11:01:43,052 debug (o.s.b.f.s.abstractbeanfactory.dogetbean) [http-8443-2] returning cached instance of singleton bean 'securityexpressionhandler' mdc{} 2015-04-23 11:01:43,052 debug (o.s.b.f.s.abstractbeanfactory.dogetbean) [http-8443-2] returning cached instance of singleton bean 'org.springframework.security.web.access.expression.defaultwebsecurityexpressionhandler#0' mdc{} 2015-04-23 11:01:43,083 debug (o.s.s.w.c.httpsessionsecuritycontextrepository$savetosessionresponsewrapper.savecontext) [http-8443-2] securitycontext empty or contents anonymous - context not stored in httpsession. mdc{} 2015-04-23 11:01:43,083 debug (o.s.w.s.frameworkservlet.processrequest) [http-8443-2] completed request mdc{} 2015-04-23 11:01:43,083 debug (o.s.s.w.a.exceptiontranslationfilter.dofilter) [http-8443-2] chain processed mdc{} 2015-04-23 11:01:43,083 debug (o.s.s.w.c.securitycontextpersistencefilter.dofilter) [http-8443-2] securitycontextholder cleared, request processing completed mdc{} 2015-04-23 11:01:45,907 debug (o.s.s.w.u.m.antpathrequestmatcher.matches) [http-8443-2] checking match of request : '/causes'; against '/resources/css/**' mdc{} 2015-04-23 11:01:45,907 debug (o.s.s.w.u.m.antpathrequestmatcher.matches) [http-8443-2] checking match of request : '/causes'; against '/resources/fonts/**' mdc{} 2015-04-23 11:01:45,907 debug (o.s.s.w.u.m.antpathrequestmatcher.matches) [http-8443-2] checking match of request : '/causes'; against '/resources/images/**' mdc{} 

update 2015-04-23 14:37:00 solved

my problem solved. since sent via ajax post logout, received url supposed point browser success logout handler. have manually point browser location javascript window.location.href = new_url.

answering can close question.

if you're using spring security's csrf protection, must post log out (though configurable believe).

can logout post javascript non-ajax? like:

<!-- anywhere in document: --> <form:form action="deconnexion" id="logoutform">   <!-- csrf hidden input included automagically --> </form:form>  <!-- in menu: --> <a href="#" onclick="document.forms.nameditem('logoutform').submit()">log out</a> 

Popular posts from this blog

c# - ODP.NET Oracle.ManagedDataAccess causes ORA-12537 network session end of file -

matlab - Compression and Decompression of ECG Signal using HUFFMAN ALGORITHM -

utf 8 - split utf-8 string into bytes in python -