Override login and logout of Spring Security in Grails

23 / Jul / 2015 by Aman Mishra 2 comments

What if our use case is to perform any custom task for login and logout while keeping the beauty of spring security intact. My use case was to make a third party SOAP API call to perform login/logout sending user’s detail as parameter.

Override Login

Write own Authentication Provider class that extends AbstractUserDetailsAuthenticationProvider and override authenticate method. For reference we can see AbstractUserDetailsAuthenticationProvider.

Next we need to :

1. Create bean of our custom Authentication Provider. It can be done in Resources.groovy by writing

 beans = {

2. Register bean of our custom AuthenticationProvider . It can be done in BootStrap.groovy by writing :

def init {

Override Logout

We have come to know three ways to do this :

1. In most of the cases, we can write our custom task in target (action of corresponding link i.e. Logout, for example ‘index’ action of ‘LogoutController’) then redirect flow to j_spring_security_logout.

2. Write own LogoutHandler class that extends LogoutHandler and override logout method. For reference we can see SecurityContextLogoutHandler.

Next we need to create bean and register same of our custom LogoutHandler as we did for our custom AuthenticationProvider. Do I need to say that this time we need to write “SpringSecurityUtils.registerLogoutHandler” instead of “SpringSecurityUtils.registerProvider”?   :-P.

3. If we need to be sure that we are making third party API call once Spring’s logout was completed successfully, we can write our own Session Timeout Listener. It can be done in two ways :

a) Implementing HttpSessionListener :


public class MySessionListener implements HttpSessionListener {
      public void sessionDestroyed(HttpSessionEvent sessionEvent) {
      /* Do whatever we want */

To see this listener working, we need to add this listener in servlet context. To do this, In BootStrap.groovy, add

 def init = { servletContext - >

b) Implementing ApplicationListener :

public class SessionTimeoutListener implements ApplicationListener<SessionDestroyedEvent> {
    public void onApplicationEvent(SessionDestroyedEvent event) {
       /*Do whatever we want to do. For example, To get Username of logged out        user, we can write next block of code*/
       SecurityContext lstSecurityContext = event.getSecurityContext();
       UserDetails ud;
       for (SecurityContext securityContext : lstSecurityContext) {
         ud = (UserDetails) securityContext.getAuthentication().getPrincipal();
         System.out.println("Username of logged out user :" + ud.username)

To see it working, we just need to create it’s bean in Resources.groovy (As we did for CustomAuthenticationProvider and CustomLogoutHandler above).

Hope this helps :) If it doesn’t then let us help you with your use case. Comment your use case below.


comments (2)

  1. Ali


    I would like to use this. Tired of trying to bind to AD using spring ldap plugin. I already have a working soap api and would love to wire it up as you have. Would it be possible to see full code?

    1. Aman Mishra

      Sure Ali. Most importantly, also share the exact purpose you are doing it for. So that I can relate it to your code and understand better.


Leave a comment -