Spring Security: Redirect to invalid-session-url instead of logout-success-url on successful logout

Question

I have implemented a login-logout system with Spring Security 3.0.2, everything is fine but for this one thing: after I added a session-management tag with invalid-session-u

Answer 1

Do not confuse the logout-url attribute in the logout tag with the invalid-session-url attribute from session-management.

The latter is the URL to execute the action of logging out while the former is the URL being forwarded to upon a logout action.

To put it in other words, when creating a logout button, the URL for that button would be the logout-url value. Now when the logout is done, spring security, be default, will render the main application's root app path, i.e.: http://yourserver:yourport/yourwebapp/. This path is overridden by invalid-session-url. So upon logout, you will be forwarded there.

To sum up, if you don't want the behavior you're asking for, then do not use invalid-session-url attribute. Hope that helps.