SEC-491: Add alternative options for determining logout URL.

18 years ago · 9f45f95fab
1 changed files with 30 additions and 2 deletions
--- a/core/src/main/java/org/springframework/security/ui/logout/LogoutFilter.java
+++ b/core/src/main/java/org/springframework/security/ui/logout/LogoutFilter.java
@ -30,6 +30,7 @@ import org.springframework.security.context.SecurityContextHolder;
				@@ -30,6 +30,7 @@ import org.springframework.security.context.SecurityContextHolder;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.util.Assert;
+import org.springframework.util.StringUtils;

 /**
 * Logs a principal out.
@ -64,7 +65,6 @@ public class LogoutFilter extends SpringSecurityFilter {
				@@ -64,7 +65,6 @@ public class LogoutFilter extends SpringSecurityFilter {
    //~ Constructors ===================================================================================================

    public LogoutFilter(String logoutSuccessUrl, LogoutHandler[] handlers) {
-        Assert.hasText(logoutSuccessUrl, "LogoutSuccessUrl required");
        Assert.notEmpty(handlers, "LogoutHandlers are required");
        this.logoutSuccessUrl = logoutSuccessUrl;
        this.handlers = handlers;
@ -86,7 +86,9 @@ public class LogoutFilter extends SpringSecurityFilter {
				@@ -86,7 +86,9 @@ public class LogoutFilter extends SpringSecurityFilter {
                handlers[i].logout(request, response, auth);
            }

-            sendRedirect(request, response, logoutSuccessUrl);
+            String targetUrl = determineTargetUrl(request, response);
+
+            sendRedirect(request, response, targetUrl);

            return;
        }
@ -125,6 +127,32 @@ public class LogoutFilter extends SpringSecurityFilter {
				@@ -125,6 +127,32 @@ public class LogoutFilter extends SpringSecurityFilter {
        return uri.endsWith(request.getContextPath() + filterProcessesUrl);
    }

+    /**
+     * Returns the target URL to redirect to after logout.
+     * <p>
+     * By default it will check for a <tt>logoutSuccessUrl</tt> parameter in
+     * the request and use this. If that isn't present it will use the configured <tt>logoutSuccessUrl</tt>. If this
+     * hasn't been set it will check the Referer header and use the URL from there.
+     *
+     */
+    protected String determineTargetUrl(HttpServletRequest request, HttpServletResponse response) {
+        String targetUrl = request.getParameter("logoutSuccessUrl");
+
+        if(!StringUtils.hasLength(targetUrl)) {
+            targetUrl = logoutSuccessUrl;
+        }
+
+        if (!StringUtils.hasLength(targetUrl)) {
+            targetUrl = request.getHeader("Referer");
+        }        
+
+        if (!StringUtils.hasLength(targetUrl)) {
+            targetUrl = "/";
+        }
+
+        return targetUrl;
+    }
+
    /**
     * Allow subclasses to modify the redirection message.
     *