Spring Security: Redirect to invalid-session-url instead of logout-success-url on successful logout

Question

I have implemented a login-logout system with Spring Security 3.0.2, everything is fine but for this one thing: after I added a session-management tag with invalid-session-u

Answer 1

By default, the logout process will first invalidate the session, hence triggering the session management to redirect to the invalid session page. By specifying invalidate-session="false" will fix this behavior.

<sec:logout logout-success-url="/logout" invalidate-session="false" 
delete-cookies="JSESSIONID" />

Answer 2

Do not confuse the logout-url attribute in the logout tag with the invalid-session-url attribute from session-management.

The latter is the URL to execute the action of logging out while the former is the URL being forwarded to upon a logout action.

To put it in other words, when creating a logout button, the URL for that button would be the logout-url value. Now when the logout is done, spring security, be default, will render the main application's root app path, i.e.: http://yourserver:yourport/yourwebapp/. This path is overridden by invalid-session-url. So upon logout, you will be forwarded there.

To sum up, if you don't want the behavior you're asking for, then do not use invalid-session-url attribute. Hope that helps.