Logout configuration - pac4j/jee-pac4j GitHub Wiki

You need to define a logout endpoint using the LogoutFilter to handle logout.

>> Read the documentation to understand its behavior and the available options.

The available options can be set via setters and servlet parameters.

1) web.xml

Yet, there is no config servlet parameter, the configFactory servlet parameter may be used instead to define a configuration.
The configFactory servlet parameter must be defined at least for one filter: it will be shared with other filters.

The LogoutFilter can be defined in the web.xml file:

<filter>
  <filter-name>logoutFilter</filter-name>
  <filter-class>org.pac4j.j2e.filter.LogoutFilter</filter-class>
  <init-param>
    <param-name>defaultUrl</param-name>
    <param-value>/urlAfterLogout</param-value>
  </init-param>
</filter>
<filter-mapping>
  <filter-name>logoutFilter</filter-name>
  <url-pattern>/logout</url-pattern>
</filter-mapping>

2) CDI (JEE)

or using CDI and the org.pac4j.jee.util.FilterHelper:

@Named
@ApplicationScoped
public class WebConfig {

    @Inject
    private Config config;

    public void build(@Observes @Initialized(ApplicationScoped.class) ServletContext servletContext) {
        final FilterHelper filterHelper = new FilterHelper(servletContext);

        ...

        final LogoutFilter logoutFilter = new LogoutFilter(config, "/?defaulturlafterlogout");
        logoutFilter.setDestroySession(true);
        filterHelper.addFilterMapping("logoutFilter", logoutFilter, "/logout");

        ...
    }
}

3) Spring

It can be defined as a simple JEE filter via Spring:

    @Bean
    public FilterRegistrationBean logoutFilter() {
        final LogoutFilter filter = new LogoutFilter(config(), "/?defaulturlafterlogout");
        filter.setDestroySession(true);
        final FilterRegistrationBean registrationBean = new FilterRegistrationBean();
        registrationBean.setFilter(filter);
        registrationBean.addUrlPatterns("/pac4jLogout");
        return registrationBean;
    }

4) Spring Security

It can be defined in a Java configuration like any Spring Security filter:

    @Configuration
    @Order(6)
    public static class LogoutWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {

        @Autowired
        private Config config;

        protected void configure(final HttpSecurity http) throws Exception {

            final LogoutFilter logoutFilter = new LogoutFilter(config, "/?defaulturlafterlogout");
            logoutFilter.setDestroySession(true);

            http
                    .antMatcher("/pac4jLogout")
                    .addFilterBefore(logoutFilter, BasicAuthenticationFilter.class)
                    .csrf().disable();
        }
    }

5) Shiro

Or it can be defined in a shiro.ini file:

[main]
pac4jLogout = org.pac4j.jee.filter.LogoutFilter
pac4jLogout.config = $config

[urls]
# Shiro logout:
#/logout = logout
# pac4j logout:
/pac4jLogout = pac4jLogout
Add a custom footer
⚠️ **GitHub.com Fallback** ⚠️