public class LogoutFilter extends AdviceFilter
subject
and then redirect them to a configured redirectUrl
.Modifier and Type | Field and Description |
---|---|
static String |
DEFAULT_REDIRECT_URL
The default redirect URL to where the user will be redirected after logout.
|
ALREADY_FILTERED_SUFFIX
filterConfig
Constructor and Description |
---|
LogoutFilter() |
Modifier and Type | Method and Description |
---|---|
String |
getRedirectUrl()
Returns the URL to where the user will be redirected after logout.
|
protected String |
getRedirectUrl(ServletRequest request,
ServletResponse response,
Subject subject)
Returns the redirect URL to send the user after logout.
|
protected Subject |
getSubject(ServletRequest request,
ServletResponse response)
Returns the currently executing
Subject . |
boolean |
isPostOnlyLogout()
Due to browser pre-fetching, using a GET requests for logout my cause a user to be logged accidentally, for example:
out while typing in an address bar.
|
protected void |
issueRedirect(ServletRequest request,
ServletResponse response,
String redirectUrl)
Issues an HTTP redirect to the specified URL after subject logout.
|
protected boolean |
onLogoutRequestNotAPost(ServletRequest request,
ServletResponse response)
This method is called when
postOnlyLogout is true , and the request was NOT a POST . |
protected boolean |
preHandle(ServletRequest request,
ServletResponse response)
Acquires the currently executing
subject ,
a potentially Subject or request-specific
redirectUrl ,
and redirects the end-user to that redirect url. |
void |
setPostOnlyLogout(boolean postOnlyLogout)
Due to browser pre-fetching, using a GET requests for logout my cause a user to be logged accidentally, for example:
out while typing in an address bar.
|
void |
setRedirectUrl(String redirectUrl)
Sets the URL to where the user will be redirected after logout.
|
afterCompletion, cleanup, doFilterInternal, executeChain, postHandle
doFilter, getAlreadyFilteredAttributeName, isEnabled, isEnabled, setEnabled, shouldNotFilter
getName, setName, toStringBuilder
destroy, getFilterConfig, getInitParam, init, onFilterConfigSet, setFilterConfig
getContextAttribute, getContextInitParam, getServletContext, removeContextAttribute, setContextAttribute, setServletContext, toString
public static final String DEFAULT_REDIRECT_URL
"/"
, Shiro's
representation of the web application's context root.public LogoutFilter()
protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception
subject
,
a potentially Subject or request-specific
redirectUrl
,
and redirects the end-user to that redirect url.preHandle
in class AdviceFilter
request
- the incoming ServletRequestresponse
- the outgoing ServletResponsefalse
always as typically no further interaction should be done after user logout.Exception
- if there is any error.protected Subject getSubject(ServletRequest request, ServletResponse response)
Subject
. This implementation merely defaults to calling
SecurityUtils.
getSubject()
, but can be overridden
by subclasses for different retrieval strategies.request
- the incoming Servlet requestresponse
- the outgoing Servlet responseSubject
.protected void issueRedirect(ServletRequest request, ServletResponse response, String redirectUrl) throws Exception
WebUtils.
issueRedirect(request,response,redirectUrl)
.request
- the incoming Servlet requestresponse
- the outgoing Servlet responseredirectUrl
- the URL to where the browser will be redirected immediately after Subject logout.Exception
- if there is any error.protected String getRedirectUrl(ServletRequest request, ServletResponse response, Subject subject)
redirectUrl
property, but this method may be overridden
by subclasses to dynamically construct the URL based on the request or subject if necessary.
Note: the Subject is not yet logged out at the time this method is invoked. You may access the Subject's
session if one is available and if necessary.
Tip: if you need to access the Subject's session, consider using the
Subject.
getSession(false)
method to ensure a new session isn't created unnecessarily.
If a session would be created, it will be immediately stopped after logout, not providing any value and
unnecessarily taxing session infrastructure/resources.request
- the incoming Servlet requestresponse
- the outgoing ServletResponsesubject
- the not-yet-logged-out currently executing Subjectpublic String getRedirectUrl()
"/"
public void setRedirectUrl(String redirectUrl)
"/"
redirectUrl
- the url to where the user will be redirected after logoutprotected boolean onLogoutRequestNotAPost(ServletRequest request, ServletResponse response)
postOnlyLogout
is true
, and the request was NOT a POST
.
For example if this filter is bound to '/logout' and the caller makes a GET request, this method would be invoked.
The default implementation sets the response code to a 405, and sets the 'Allow' header to 'POST', and always returns false.
public boolean isPostOnlyLogout()
postOnlyLogout
is true
. Only POST requests will cause
a logout to occur.public void setPostOnlyLogout(boolean postOnlyLogout)
postOnlyLogout
is true
. Only POST requests will cause
a logout to occur.postOnlyLogout
- enable or disable POST only logout.Copyright © 2004–2020 The Apache Software Foundation. All rights reserved.