Using Spring Security logout with Struts 2

In this section let us implement a logout scenario, where the logged-in user will be logged out of the application. The logout action will be handled by the Spring Security framework. We need to configure the struts.xml file to handle the j_spring_security_logout action.

Getting ready

  • Create a dynamic web project in Eclipse
  • Add the Struts 2 related JARs
  • Add Spring Security-related JARs
  • The web.xml, struts2.xml, and JSP settings remain the same as the previous application

How to do it...

  1. Let's update the secure page, hello.jsp:
    <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
    <%@page import="java.security.Principal" %>
    <html>
    <body>
    Hello .You are seeing a secured Page now.
       
       <a href="<c:url value="/j_spring_security_logout" />" > Logout</a>
     </body>
    </html>
  2. Let's map the j_spring_security_logout with the struts.xml file:

    When the user clicks on logout, the user will be logged out and will be redirected to index.jsp.

    <!DOCTYPE struts PUBLIC
    "-//Apache Software Foundation//DTD Struts Configuration 2.0//EN"
    "http://struts.apache.org/dtds/struts-2.0.dtd">
    <struts>
       <package name="default" namespace="/" extends="struts-default">
            <action name="helloWorld">
                <result>success.jsp</result>
            </action>
            
          <action name="login">
                    <result>login.jsp</result>
             </action>
    
             <action name="loginfailed">
                    <result>login.jsp?error=true</result>
             </action>
             
             <action name="welcome" >
             <result>secure/hello.jsp</result>
             </action>
       
       <action name="j_spring_security_logout">
       <result>index.jsp</result>
             </action>
        </package>
    </struts>
  3. Update the applicationcontext-security.xml file:
    <beans:beans xmlns="http://www.springframework.org/schema/security"
       xmlns:beans="http://www.springframework.org/schema/beans" 
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
       http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
       http://www.springframework.org/schema/security
       http://www.springframework.org/schema/security/spring-security-3.1.xsd">
     
     <global-method-security pre-post-annotations="enabled">
        </global-method-security>
      <http>
       <intercept-url pattern="/welcome" access="ROLE_TELLER" />
       <logout logout-success-url="/helloWorld" />
       <http-basic />
      </http>
       <authentication-manager>
          <authentication-provider>
       <password-encoder hash="sha" />
          <user-service>
             <user name="anjana" password="bde892ed4e131546a2f9997cc94d31e2c8f18b2a" 
                 authorities="ROLE_TELLER" />
          </user-service>
       </authentication-provider>
       </authentication-manager>
    </beans:beans>

How it works...

Spring Security also provides options to handle logout. When the user clicks on logout, the user is directed to the assigned page.

j_spring_secuurity_logout provides the logout option for the Struts 2 application.

The Struts 2 application has the map and the URL with its action.

The logout option is usually given in the secured pages.

There's more...

Till now we have stored the authentication information in the .xml file. We have also hashed the password. How about storing the information on the external system and getting it? Let's see how Struts 2 works with this database authentication in the following section.

See also

  • The Displaying custom error messages in Struts 2 for authentication failure recipe
  • The Authenticating databases with Struts 2 and Spring Security recipe
  • The Authenticating with ApacheDS with Spring Security and Struts 2 application recipe
  • The Getting the logged-in user info in Struts 2 with Spring Security recipe