SEC-1544: Added CookieClearingLogoutHandler and 'delete-cookies' attribute to the 'logout' namespace element.
When the user logs out, the handler will attempt to delete the named cookies (which it is constructor-injected with) by expiring them in the response. Also added documentation on the feature and a suggestion for deleting JSESSIONID through an Apache proxy server, if the servlet container doesn't allow clearing the session cookie.
This commit is contained in:
@@ -1,7 +1,30 @@
|
||||
package org.springframework.security.web.authentication.logout;
|
||||
|
||||
import static org.junit.Assert.*;
|
||||
import static org.mockito.Mockito.mock;
|
||||
|
||||
import javax.servlet.http.Cookie;
|
||||
|
||||
import org.junit.Test;
|
||||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.mock.web.MockHttpServletResponse;
|
||||
import org.springframework.security.core.Authentication;
|
||||
|
||||
/**
|
||||
* @author Luke Taylor
|
||||
*/
|
||||
public class CookieClearingLogoutHandlerTests {
|
||||
@Test
|
||||
public void configuredCookiesAreCleared() {
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
request.setContextPath("/app");
|
||||
CookieClearingLogoutHandler handler = new CookieClearingLogoutHandler("my_cookie", "my_cookie_too");
|
||||
handler.logout(request, response, mock(Authentication.class));
|
||||
assertEquals(2, response.getCookies().length);
|
||||
for (Cookie c : response.getCookies()) {
|
||||
assertEquals("/app", c.getPath());
|
||||
assertEquals(0, c.getMaxAge());
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user