-
Notifications
You must be signed in to change notification settings - Fork 19
Logout configuration
CAS in the cloud LELEU Jérôme edited this page Dec 12, 2022
·
9 revisions
You need to define a logout endpoint using the LogoutFilter to handle logout.
>> Read the documentation to understand its behavior and the available options.
The available options can be set via setters and servlet parameters.
Yet, there is no config servlet parameter, the configFactory servlet parameter may be used instead to define a configuration.
The configFactory servlet parameter must be defined at least for one filter: it will be shared with other filters.
The LogoutFilter can be defined in the web.xml file:
<filter>
<filter-name>logoutFilter</filter-name>
<filter-class>org.pac4j.j2e.filter.LogoutFilter</filter-class>
<init-param>
<param-name>defaultUrl</param-name>
<param-value>/urlAfterLogout</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>logoutFilter</filter-name>
<url-pattern>/logout</url-pattern>
</filter-mapping>or using CDI and the org.pac4j.jee.util.FilterHelper:
@Named
@ApplicationScoped
public class WebConfig {
@Inject
private Config config;
public void build(@Observes @Initialized(ApplicationScoped.class) ServletContext servletContext) {
final FilterHelper filterHelper = new FilterHelper(servletContext);
...
final LogoutFilter logoutFilter = new LogoutFilter(config, "/?defaulturlafterlogout");
logoutFilter.setDestroySession(true);
filterHelper.addFilterMapping("logoutFilter", logoutFilter, "/logout");
...
}
}It can be defined as a simple JEE filter via Spring:
@Bean
public FilterRegistrationBean logoutFilter() {
final LogoutFilter filter = new LogoutFilter(config(), "/?defaulturlafterlogout");
filter.setDestroySession(true);
final FilterRegistrationBean registrationBean = new FilterRegistrationBean();
registrationBean.setFilter(filter);
registrationBean.addUrlPatterns("/pac4jLogout");
return registrationBean;
}It can be defined in a Java configuration like any Spring Security filter:
@Configuration
@Order(6)
public static class LogoutWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
@Autowired
private Config config;
protected void configure(final HttpSecurity http) throws Exception {
final LogoutFilter logoutFilter = new LogoutFilter(config, "/?defaulturlafterlogout");
logoutFilter.setDestroySession(true);
http
.antMatcher("/pac4jLogout")
.addFilterBefore(logoutFilter, BasicAuthenticationFilter.class)
.csrf().disable();
}
}Or it can be defined in a shiro.ini file:
[main]
pac4jLogout = org.pac4j.jee.filter.LogoutFilter
pac4jLogout.config = $config
[urls]
# Shiro logout:
#/logout = logout
# pac4j logout:
/pac4jLogout = pac4jLogout