1 /* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
2 *
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 package org.springframework.security.ui.logout;
17
18 import org.springframework.security.Authentication;
19
20 import org.springframework.security.context.SecurityContextHolder;
21 import org.springframework.util.Assert;
22
23 import javax.servlet.http.HttpServletRequest;
24 import javax.servlet.http.HttpServletResponse;
25 import javax.servlet.http.HttpSession;
26
27 /**
28 * Performs a logout by modifying the {@link org.springframework.security.context.SecurityContextHolder}.
29 * <p>
30 * Will also invalidate the {@link HttpSession} if {@link #isInvalidateHttpSession()} is <code>true</code> and the
31 * session is not <code>null</code>.
32 *
33 * @author Ben Alex
34 * @version $Id: SecurityContextLogoutHandler.java 3226 2008-08-06 16:18:05Z luke_t $
35 */
36 public class SecurityContextLogoutHandler implements LogoutHandler {
37 private boolean invalidateHttpSession = true;
38
39 //~ Methods ========================================================================================================
40
41 /**
42 * Requires the request to be passed in.
43 *
44 * @param request from which to obtain a HTTP session (cannot be null)
45 * @param response not used (can be <code>null</code>)
46 * @param authentication not used (can be <code>null</code>)
47 */
48 public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
49 Assert.notNull(request, "HttpServletRequest required");
50 if (invalidateHttpSession) {
51 HttpSession session = request.getSession(false);
52 if (session != null) {
53 session.invalidate();
54 }
55 }
56
57 SecurityContextHolder.clearContext();
58 }
59
60 public boolean isInvalidateHttpSession() {
61 return invalidateHttpSession;
62 }
63
64 /**
65 * Causes the {@link HttpSession} to be invalidated when this {@link LogoutHandler} is invoked. Defaults to true.
66 *
67 * @param invalidateHttpSession true if you wish the session to be invalidated (default) or false if it should
68 * not be.
69 */
70 public void setInvalidateHttpSession(boolean invalidateHttpSession) {
71 this.invalidateHttpSession = invalidateHttpSession;
72 }
73
74 }