Package org.apache.shiro.web.filter.authc

Class LogoutFilter

    • Field Detail

      • DEFAULT_REDIRECT_URL

        public static final String DEFAULT_REDIRECT_URL
        The default redirect URL to where the user will be redirected after logout. The value is "/", Shiro's representation of the web application's context root.
        See Also:
        Constant Field Values

    • Method Detail

      • preHandle

        protected boolean preHandle​(ServletRequest request,
                            ServletResponse response)
                     throws Exception
        Acquires the currently executing subject, a potentially Subject or request-specific redirectUrl, and redirects the end-user to that redirect url.
        Overrides:
        preHandle in class AdviceFilter
        Parameters:
        request - the incoming ServletRequest
        response - the outgoing ServletResponse
        Returns:
        false always as typically no further interaction should be done after user logout.
        Throws:
        Exception - if there is any error.

      • getSubject

        protected Subject getSubject​(ServletRequest request,
                             ServletResponse response)
        Returns the currently executing Subject. This implementation merely defaults to calling SecurityUtils.getSubject(), but can be overridden by subclasses for different retrieval strategies.
        Parameters:
        request - the incoming Servlet request
        response - the outgoing Servlet response
        Returns:
        the currently executing Subject.

      • getRedirectUrl

        protected String getRedirectUrl​(ServletRequest request,
                                ServletResponse response,
                                Subject subject)
        Returns the redirect URL to send the user after logout. This default implementation ignores the arguments and returns the static configured redirectUrl property, but this method may be overridden by subclasses to dynamically construct the URL based on the request or subject if necessary.

        Note: the Subject is not yet logged out at the time this method is invoked. You may access the Subject's session if one is available and if necessary.

        Tip: if you need to access the Subject's session, consider using the Subject.getSession(false) method to ensure a new session isn't created unnecessarily. If a session would be created, it will be immediately stopped after logout, not providing any value and unnecessarily taxing session infrastructure/resources.

        Parameters:
        request - the incoming Servlet request
        response - the outgoing ServletResponse
        subject - the not-yet-logged-out currently executing Subject
        Returns:
        the redirect URL to send the user after logout.

      • getRedirectUrl

        public String getRedirectUrl()
        Returns the URL to where the user will be redirected after logout. Default is the web application's context root, i.e. "/"
        Returns:
        the URL to where the user will be redirected after logout.

      • setRedirectUrl

        public void setRedirectUrl​(String redirectUrl)
        Sets the URL to where the user will be redirected after logout. Default is the web application's context root, i.e. "/"
        Parameters:
        redirectUrl - the url to where the user will be redirected after logout

      • onLogoutRequestNotAPost

        protected boolean onLogoutRequestNotAPost​(ServletRequest request,
                                          ServletResponse response)
        This method is called when postOnlyLogout is true, and the request was NOT a POST. For example if this filter is bound to '/logout' and the caller makes a GET request, this method would be invoked.

        The default implementation sets the response code to a 405, and sets the 'Allow' header to 'POST', and always returns false.

        Returns:
        The return value indicates if the processing should continue in this filter chain.

      • isPostOnlyLogout

        public boolean isPostOnlyLogout()
        Due to browser pre-fetching, using a GET requests for logout my cause a user to be logged accidentally, for example: out while typing in an address bar. If postOnlyLogout is true. Only POST requests will cause a logout to occur.
        Returns:
        Returns true if POST only logout is enabled

      • setPostOnlyLogout

        public void setPostOnlyLogout​(boolean postOnlyLogout)
        Due to browser pre-fetching, using a GET requests for logout my cause a user to be logged accidentally, for example: out while typing in an address bar. If postOnlyLogout is true. Only POST requests will cause a logout to occur.
        Parameters:
        postOnlyLogout - enable or disable POST only logout.