Over a million developers have joined DZone.

Grails Goodness: Don't Invalidate Session After Logout with Spring Security Plugin

DZone's Guide to

Grails Goodness: Don't Invalidate Session After Logout with Spring Security Plugin

· Java Zone ·
Free Resource

Java-based (JDBC) data connectivity to SaaS, NoSQL, and Big Data. Download Now.

The Spring security plugin makes it easy to add authentication and autorization to our Grails application. The underlying Spring security framework is still accessible using Spring configuration and as a matter of fact the plugin uses a lot of the Spring security components. When we choose the logout action so-called logout handlers are configured and we can customize them in the Spring configuration of our Grails application.

One of the logout handlers is a Spring bean with the name securityContextLogoutHandler of type org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler. This handler will clear the security context and invalidate a HTTP session if it is available. If we don't want to invalidate the session we must reconfigure this Spring bean. The good thing is we can override bean definitions in our Grails application. For example we can define a bean in grails-app/conf/spring/resources.groovy with the same name securityContextLogoutHandler and type, but use different property values. In our sample we must set the property invalidateHttpSession of org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler to false. Now our session is not invalidated, but the security context is still cleared.

// File: grails-app/conf/spring/resources.groovy
import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler

beans = {
    securityContextLogoutHandler(SecurityContextLogoutHandler) {
        invalidateHttpSession = false

Sample written with Grails 2.2.1 and Spring security core plugin


Connect any Java based application to your SaaS data.  Over 100+ Java-based data source connectors.


Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}