Class LogoutFilter
-
public class LogoutFilter extends AdviceFilter
Simple Filter that, upon receiving a request, will immediately log-out the currently executingsubject
and then redirect them to a configuredredirectUrl
.- Since:
- 1.2
-
-
Field Summary
Fields Modifier and Type Field Description static String
DEFAULT_REDIRECT_URL
The default redirect URL to where the user will be redirected after logout.-
Fields inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter
ALREADY_FILTERED_SUFFIX
-
Fields inherited from class org.apache.shiro.web.servlet.AbstractFilter
filterConfig
-
-
Constructor Summary
Constructors Constructor Description LogoutFilter()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description String
getRedirectUrl()
Returns the URL to where the user will be redirected after logout.protected String
getRedirectUrl(ServletRequest request, ServletResponse response, Subject subject)
Returns the redirect URL to send the user after logout.protected Subject
getSubject(ServletRequest request, ServletResponse response)
Returns the currently executingSubject
.boolean
isPostOnlyLogout()
Due to browser pre-fetching, using a GET requests for logout my cause a user to be logged accidentally, for example: out while typing in an address bar.protected void
issueRedirect(ServletRequest request, ServletResponse response, String redirectUrl)
Issues an HTTP redirect to the specified URL after subject logout.protected boolean
onLogoutRequestNotAPost(ServletRequest request, ServletResponse response)
This method is called whenpostOnlyLogout
istrue
, and the request was NOT aPOST
.protected boolean
preHandle(ServletRequest request, ServletResponse response)
Acquires the currently executingsubject
, a potentially Subject or request-specificredirectUrl
, and redirects the end-user to that redirect url.void
setPostOnlyLogout(boolean postOnlyLogout)
Due to browser pre-fetching, using a GET requests for logout my cause a user to be logged accidentally, for example: out while typing in an address bar.void
setRedirectUrl(String redirectUrl)
Sets the URL to where the user will be redirected after logout.-
Methods inherited from class org.apache.shiro.web.servlet.AdviceFilter
afterCompletion, cleanup, doFilterInternal, executeChain, postHandle
-
Methods inherited from class org.apache.shiro.web.servlet.OncePerRequestFilter
doFilter, getAlreadyFilteredAttributeName, isEnabled, isEnabled, setEnabled, shouldNotFilter
-
Methods inherited from class org.apache.shiro.web.servlet.NameableFilter
getName, setName, toStringBuilder
-
Methods inherited from class org.apache.shiro.web.servlet.AbstractFilter
destroy, getFilterConfig, getInitParam, init, onFilterConfigSet, setFilterConfig
-
Methods inherited from class org.apache.shiro.web.servlet.ServletContextSupport
getContextAttribute, getContextInitParam, getServletContext, removeContextAttribute, setContextAttribute, setServletContext, toString
-
-
-
-
Field Detail
-
DEFAULT_REDIRECT_URL
public static final String DEFAULT_REDIRECT_URL
The default redirect URL to where the user will be redirected after logout. The value is"/"
, Shiro's representation of the web application's context root.- See Also:
- Constant Field Values
-
-
Constructor Detail
-
LogoutFilter
public LogoutFilter()
-
-
Method Detail
-
preHandle
protected boolean preHandle(ServletRequest request, ServletResponse response) throws Exception
Acquires the currently executingsubject
, a potentially Subject or request-specificredirectUrl
, and redirects the end-user to that redirect url.- Overrides:
preHandle
in classAdviceFilter
- Parameters:
request
- the incoming ServletRequestresponse
- the outgoing ServletResponse- Returns:
false
always as typically no further interaction should be done after user logout.- Throws:
Exception
- if there is any error.
-
getSubject
protected Subject getSubject(ServletRequest request, ServletResponse response)
Returns the currently executingSubject
. This implementation merely defaults to callingSecurityUtils.
getSubject()
, but can be overridden by subclasses for different retrieval strategies.- Parameters:
request
- the incoming Servlet requestresponse
- the outgoing Servlet response- Returns:
- the currently executing
Subject
.
-
issueRedirect
protected void issueRedirect(ServletRequest request, ServletResponse response, String redirectUrl) throws Exception
Issues an HTTP redirect to the specified URL after subject logout. This implementation simply callsWebUtils.
issueRedirect(request,response,redirectUrl)
.- Parameters:
request
- the incoming Servlet requestresponse
- the outgoing Servlet responseredirectUrl
- the URL to where the browser will be redirected immediately after Subject logout.- Throws:
Exception
- if there is any error.
-
getRedirectUrl
protected String getRedirectUrl(ServletRequest request, ServletResponse response, Subject subject)
Returns the redirect URL to send the user after logout. This default implementation ignores the arguments and returns the static configuredredirectUrl
property, but this method may be overridden by subclasses to dynamically construct the URL based on the request or subject if necessary. Note: the Subject is not yet logged out at the time this method is invoked. You may access the Subject's session if one is available and if necessary. Tip: if you need to access the Subject's session, consider using theSubject.
getSession(false)
method to ensure a new session isn't created unnecessarily. If a session would be created, it will be immediately stopped after logout, not providing any value and unnecessarily taxing session infrastructure/resources.- Parameters:
request
- the incoming Servlet requestresponse
- the outgoing ServletResponsesubject
- the not-yet-logged-out currently executing Subject- Returns:
- the redirect URL to send the user after logout.
-
getRedirectUrl
public String getRedirectUrl()
Returns the URL to where the user will be redirected after logout. Default is the web application's context root, i.e."/"
- Returns:
- the URL to where the user will be redirected after logout.
-
setRedirectUrl
public void setRedirectUrl(String redirectUrl)
Sets the URL to where the user will be redirected after logout. Default is the web application's context root, i.e."/"
- Parameters:
redirectUrl
- the url to where the user will be redirected after logout
-
onLogoutRequestNotAPost
protected boolean onLogoutRequestNotAPost(ServletRequest request, ServletResponse response)
This method is called whenpostOnlyLogout
istrue
, and the request was NOT aPOST
. For example if this filter is bound to '/logout' and the caller makes a GET request, this method would be invoked.The default implementation sets the response code to a 405, and sets the 'Allow' header to 'POST', and always returns false.
- Returns:
- The return value indicates if the processing should continue in this filter chain.
-
isPostOnlyLogout
public boolean isPostOnlyLogout()
Due to browser pre-fetching, using a GET requests for logout my cause a user to be logged accidentally, for example: out while typing in an address bar. IfpostOnlyLogout
istrue
. Only POST requests will cause a logout to occur.- Returns:
- Returns true if POST only logout is enabled
-
setPostOnlyLogout
public void setPostOnlyLogout(boolean postOnlyLogout)
Due to browser pre-fetching, using a GET requests for logout my cause a user to be logged accidentally, for example: out while typing in an address bar. IfpostOnlyLogout
istrue
. Only POST requests will cause a logout to occur.- Parameters:
postOnlyLogout
- enable or disable POST only logout.
-
-