Hi Les,
The "problem" is if I don't follow the use case. For example index.html has a redirect meta to app.html, in fact everything sends the user to app.html but that page is protected by authc that knows where the login page and to send the user to the place they were trying to get to (or a default). Logout filter redirects to app.html too since this is where the user really wants to go (but they shouldn't be able to because that page is protected) but immediately after the logout the redirect succeeds somehow which is surprising as the user should be blocked. It isn't a drama, I can reconfigure things to send a user to the login page after a logout but in theory I'd like to be able to send a user anywhere after logout and not care whether that page is secure or otherwise. Marcus. From: Les Hazlewood [mailto:[email protected]] Sent: 07 August 2012 20:29 To: [email protected] Subject: Re: Logout Filter Hi Marcus, I'm not sure I understand the problem. This is the expected config/use case: [main] #any url will do - redirect them to login after logout: logout.redirectUrl = /login [urls] /logout = logout The LogoutFilter doesn't ever check to see if the request should continue - it always calls subject.logout() and then redirects to the 'redirectView'. Source: http://svn.apache.org/repos/asf/shiro/trunk/web/src/main/java/org/apache/shi ro/web/filter/authc/LogoutFilter.java HTH, Les On Thu, Aug 2, 2012 at 4:50 AM, Marcus Bond <[email protected]> wrote: Has anyone else tried using the Logout filter in 1.2? I notice that if the redirectUrl is configured as a secure page then despite going to the logout the secure page is shown, however an immediate refresh of the secure page is not permitted and the user is sent to the login page. So it seems that at one more page view can be achieved after what would be considered to be a logout..
