I have implemented LDAP Authentication in my application andi have problem with Authentication even after deleting cookies using logout method Code snippet
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().and().authorizeRequests().antMatchers("/login")
.authenticated().and().csrf()
.csrfTokenRepository(csrfTokenRepository()).and()
.addFilterAfter(csrfHeaderFilter(), CsrfFilter.class)
.sessionManagement().maximumSessions(200).expiredUrl("/logout")
.maxSessionsPreventsLogin(true)
.sessionRegistry(sessionRegistry()).and().and().logout()
.deleteCookies("JSESSIONID").deleteCookies("XSRF-TOKEN")
.logoutUrl("/logout").invalidateHttpSession(true)
.logoutSuccessHandler(new LogoutSuccessHandler() {
@Override
public void onLogoutSuccess(HttpServletRequest request,
HttpServletResponse response,
Authentication authentication) throws IOException,
ServletException {
response.sendError(200);
}
}).invalidateHttpSession(true);
}
@Bean
public SessionRegistry sessionRegistry() {
SessionRegistry sessionRegistry = new SessionRegistryImpl();
return sessionRegistry;
}
@Override
protected void configure(AuthenticationManagerBuilder auth)
throws Exception {
auth.ldapAuthentication().userDetailsContextMapper(userDetailsMapper)
.contextSource().and().userSearchFilter(searchfilter)
.userSearchBase(searchbase).groupSearchBase(groupsearchbase)
.contextSource().url(url).managerDn(username)
.managerPassword(password);
}
private Filter csrfHeaderFilter() {
return new OncePerRequestFilter() {
@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
CsrfToken csrf = (CsrfToken) request
.getAttribute(CsrfToken.class.getName());
if (csrf != null) {
Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
String token = csrf.getToken();
if (request.getRequestURI() != null) {
if (request.getRequestURI().toLowerCase()
.substring(1, request.getRequestURI().length())
.equals("login")) {
cookie = new Cookie("XSRF-TOKEN", token);
cookie.setPath("/");
cookie.setMaxAge(expiryTime); // expiry time is 3600 seconds in my case
response.addCookie(cookie);
filterChain.doFilter(request, response);
}
else {
if (cookie != null) {
filterChain.doFilter(request, response);
} else {
response.sendError(403,
"you are not authorized to see this page .Issue has been logged.");
}
}
}
}
}
};
Controller
@RestController
@RequestMapping("/")
public class LoginController {
@Autowired
private CustomUserDetailsContextMapper userDetailsMapper;
@RequestMapping(value = { "/login" }, method = RequestMethod.GET)
public @ResponseBody ResponseEntity<CustomUser> login() {
CustomUser customUser = userDetailsMapper.getUserDetails();
return new ResponseEntity<CustomUser>(customUser, HttpStatus.OK);
}
@RequestMapping(value = { "/logout" }, method = RequestMethod.GET)
public @ResponseBody String logout() {
return "success";
}
/*
* This controller is just for testing ,we can delete it later.
*/
@RequestMapping(value = { "/random/controller" }, method = RequestMethod.GET)
public @ResponseBody HttpStatus retrievelogin1() {
System.out.println("user is " + userDetailsMapper.getUserDetails());
return HttpStatus.ACCEPTED;
}
Problem is
when i login first time then it works fine, it asks for credentials and everything works as expected but when i logout and i login again ,it do not ask for credentials.
As per the code ,logout deletes cookies and i can see that using Request client but still it never asks for credentials.I have tried different browsers (IE,Firefox,Chrome) and i have tried "ncognito" mode as well but of no help.
It seems like browser stores it in cache .
When i use formlogin instead of httpbasic then i see the login page everytime but in my case i cannot use formlogin ,i have to use httpbasic .
Please provide me your thoughts. if any information is required please let me know.
Thanks in advance,
