View Javadoc

1   /* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
2    *
3    * Licensed under the Apache License, Version 2.0 (the "License");
4    * you may not use this file except in compliance with the License.
5    * You may obtain a copy of the License at
6    *
7    *     http://www.apache.org/licenses/LICENSE-2.0
8    *
9    * Unless required by applicable law or agreed to in writing, software
10   * distributed under the License is distributed on an "AS IS" BASIS,
11   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12   * See the License for the specific language governing permissions and
13   * limitations under the License.
14   */
15  
16  package org.springframework.security.ui.logout;
17  
18  import org.springframework.security.Authentication;
19  
20  import org.springframework.security.context.SecurityContextHolder;
21  import org.springframework.util.Assert;
22  
23  import javax.servlet.http.HttpServletRequest;
24  import javax.servlet.http.HttpServletResponse;
25  import javax.servlet.http.HttpSession;
26  
27  /**
28   * Performs a logout by modifying the {@link org.springframework.security.context.SecurityContextHolder}.
29   * <p>
30   * Will also invalidate the {@link HttpSession} if {@link #isInvalidateHttpSession()} is <code>true</code> and the
31   * session is not <code>null</code>.
32   *
33   * @author Ben Alex
34   * @version $Id: SecurityContextLogoutHandler.java 3226 2008-08-06 16:18:05Z luke_t $
35   */
36  public class SecurityContextLogoutHandler implements LogoutHandler {
37      private boolean invalidateHttpSession = true;
38  
39      //~ Methods ========================================================================================================
40  
41      /**
42       * Requires the request to be passed in.
43       *
44       * @param request        from which to obtain a HTTP session (cannot be null)
45       * @param response       not used (can be <code>null</code>)
46       * @param authentication not used (can be <code>null</code>)
47       */
48      public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
49          Assert.notNull(request, "HttpServletRequest required");
50          if (invalidateHttpSession) {
51              HttpSession session = request.getSession(false);
52              if (session != null) {
53                  session.invalidate();
54              }
55          }
56  
57          SecurityContextHolder.clearContext();
58      }
59  
60      public boolean isInvalidateHttpSession() {
61          return invalidateHttpSession;
62      }
63  
64      /**
65       * Causes the {@link HttpSession} to be invalidated when this {@link LogoutHandler} is invoked. Defaults to true.
66       *
67       * @param invalidateHttpSession true if you wish the session to be invalidated (default) or false if it should
68       * not be.
69       */
70      public void setInvalidateHttpSession(boolean invalidateHttpSession) {
71          this.invalidateHttpSession = invalidateHttpSession;
72      }
73  
74  }