Skip to content

Removing user login credentials from session when user logout in spring-security

I am new to Spring and Spring-Security. I have been going through the tutorials here

The user are not allowed to hit add employee page without login. So if you hit add employee page, you will be directed to the login page and when login succeeded you are directed to the add employee page automatically.

But once the user logged in add employee link can be accessed even after the user logs out. It can be accessed even after the server is restarted, I had to close the browser window for the login credentials to be destroyed.

It works fine when when I keep the logout url as “j_spring_security_logout” which I dont want to use. I want to use custom feild names and urls, is it possible?

This is how my spring-security.xml looks

<http auto-config="true" use-expressions="true">
    <intercept-url pattern="/login" access="permitAll" />
    <intercept-url pattern="/logout" access="permitAll" />
    <intercept-url pattern="/accessdenied" access="permitAll" />
    <intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
    <form-login login-page="/login" default-target-url="/list"
        authentication-failure-url="/accessdenied" />
    <logout logout-success-url="/logout" invalidate-session="true"
        delete-cookies="true" />
<authentication-manager alias="authenticationManager">
            <user name="hasif" password="password" authorities="ROLE_USER" />

This is how my LoginController looks

public class LoginController {

    @RequestMapping(value = "/login", method = RequestMethod.GET)
    public String login() {     
        return "login";

    @RequestMapping(value = "/logout", method = RequestMethod.GET)
    public String logout(HttpServletRequest request) {
        HttpSession session = request.getSession(false);
        return "logout";

    @RequestMapping(value = "/accessdenied", method = RequestMethod.GET)
    public String accessdenied() {
        return "accessdenied";


Your configuration is wrong, you must specify the logout-url attribute and not the logout-success-url. The latter is the url you are send to after logout has been successful.

<logout logout-url="/logout" invalidate-session="true" delete-cookies="true" />

delete-cookies takes a comma separated string with names of cookies to delete, I doubt you have a cookie named true and the session is invalidated by default. So basically the following gives the same result.

<logout logout-url="/logout" />

If you want to change the name of the parameter to use for specifying the username/password add respectively the username-parameter and password-parameter on the form-login element.

<form-login login-page="/login" default-target-url="/list" authentication-failure-url="/accessdenied" username-parameter="my-username-param" password-parameter="my-password-param"/>

For an explanation of the namespaces I suggest a read of the reference guide.