Package org.apache.shiro.web.filter.authc

Class LogoutFilter

java.lang.Object
org.apache.shiro.web.servlet.ServletContextSupport
org.apache.shiro.web.servlet.AbstractFilter
org.apache.shiro.web.servlet.NameableFilter
org.apache.shiro.web.servlet.OncePerRequestFilter
org.apache.shiro.web.servlet.AdviceFilter
org.apache.shiro.web.filter.authc.LogoutFilter
All Implemented Interfaces:
javax.servlet.Filter, org.apache.shiro.lang.util.Nameable
public class LogoutFilter extends AdviceFilter
Simple Filter that, upon receiving a request, will immediately log-out the currently executing subject and then redirect them to a configured redirectUrl.
Since:
1.2

  • Field Details

    • DEFAULT_REDIRECT_URL

      public static final String DEFAULT_REDIRECT_URL
      The default redirect URL to where the user will be redirected after logout. The value is "/", Shiro's representation of the web application's context root.
      See Also:

  • Constructor Details

  • Method Details

    • preHandle

      protected boolean preHandle(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response) throws Exception
      Acquires the currently executing subject, a potentially Subject or request-specific redirectUrl, and redirects the end-user to that redirect url.
      Overrides:
      preHandle in class AdviceFilter
      Parameters:
      request - the incoming ServletRequest
      response - the outgoing ServletResponse
      Returns:
      false always as typically no further interaction should be done after user logout.
      Throws:
      Exception - if there is any error.

    • getSubject

      protected org.apache.shiro.subject.Subject getSubject(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response)
      Returns the currently executing Subject. This implementation merely defaults to calling SecurityUtils.getSubject(), but can be overridden by subclasses for different retrieval strategies.
      Parameters:
      request - the incoming Servlet request
      response - the outgoing Servlet response
      Returns:
      the currently executing Subject.

    • issueRedirect

      protected void issueRedirect(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, String redirectUrl) throws Exception
      Issues an HTTP redirect to the specified URL after subject logout. This implementation simply calls WebUtils.issueRedirect(request,response,redirectUrl).
      Parameters:
      request - the incoming Servlet request
      response - the outgoing Servlet response
      redirectUrl - the URL to where the browser will be redirected immediately after Subject logout.
      Throws:
      Exception - if there is any error.

    • getRedirectUrl

      protected String getRedirectUrl(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, org.apache.shiro.subject.Subject subject)
      Returns the redirect URL to send the user after logout. This default implementation ignores the arguments and returns the static configured redirectUrl property, but this method may be overridden by subclasses to dynamically construct the URL based on the request or subject if necessary.

      Note: the Subject is not yet logged out at the time this method is invoked. You may access the Subject's session if one is available and if necessary.

      Tip: if you need to access the Subject's session, consider using the Subject.getSession(false) method to ensure a new session isn't created unnecessarily. If a session was created, it will be immediately stopped after logout, not providing any value and unnecessarily taxing session infrastructure/resources.

      Parameters:
      request - the incoming Servlet request
      response - the outgoing ServletResponse
      subject - the not-yet-logged-out currently executing Subject
      Returns:
      the redirect URL to send the user after logout.

    • getRedirectUrl

      public String getRedirectUrl()
      Returns the URL to where the user will be redirected after logout. Default is the web application's context root, i.e. "/"
      Returns:
      the URL to where the user will be redirected after logout.

    • setRedirectUrl

      public void setRedirectUrl(String redirectUrl)
      Sets the URL to where the user will be redirected after logout. Default is the web application's context root, i.e. "/"
      Parameters:
      redirectUrl - the url to where the user will be redirected after logout

    • onLogoutRequestNotAPost

      protected boolean onLogoutRequestNotAPost(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response)
      This method is called when postOnlyLogout is true, and the request was NOT a POST. For example if this filter is bound to '/logout' and the caller makes a GET request, this method would be invoked.

      The default implementation sets the response code to a 405, and sets the 'Allow' header to 'POST', and always returns false.

      Returns:
      The return value indicates if the processing should continue in this filter chain.

    • isPostOnlyLogout

      public boolean isPostOnlyLogout()
      Due to browser pre-fetching, using a GET requests for logout my cause a user to be logged accidentally, for example: out while typing in an address bar. If postOnlyLogout is true. Only POST requests will cause a logout to occur.
      Returns:
      Returns true if POST only logout is enabled

    • setPostOnlyLogout

      public void setPostOnlyLogout(boolean postOnlyLogout)
      Due to browser pre-fetching, using a GET requests for logout my cause a user to be logged accidentally, for example: out while typing in an address bar. If postOnlyLogout is true. Only POST requests will cause a logout to occur.
      Parameters:
      postOnlyLogout - enable or disable POST only logout.