I retrofitted my GWT/GXT application with basic LDAP Authorization using basic HTTP authentication. It works well when I start new browser - I get the prompt and get authorized against corporate LDAP. My problem - I can't logout unless I close/reopen the browser. I can debug and see how SecurityContextLogoutHandler#logout is called and the following code is executed
if (invalidateHttpSession) {
HttpSession session = request.getSession(false);
if (session != null) {
session.invalidate();
}
}
SecurityContextHolder.clearContext();
However it seemingly has no effect as site is reloaded and I never get another HTTP auth prompt unless I restart the browser (even clearing the cache/cookies won't help). Here's relevant portion of applicationContext.xml
<security:http auto-config='true'>
<security:intercept-url pattern="/reports/**" access="ROLE_USER" />
<security:http-basic />
<security:logout logout-url="/reports/logout"
logout-success-url="/reports/Application.html" />
</security:http>
I tried to define custom LogoutSuccessHandler and do authentication.setAuthenticated(false); but that also has no effect
Anything here I'm missing here? Your help will be much appreciated
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
