Override login and logout of Spring Security in Grails

23 / Jul / 2015 by Aman Kumar Mishra 4 comments

What if our use case is to perform any custom task for login and logout while keeping the beauty of spring security intact. My use case was to make a third party SOAP API call to perform login/logout sending user’s detail as parameter.

Override Login

Write own Authentication Provider class that extends AbstractUserDetailsAuthenticationProvider and override authenticate method. For reference we can see AbstractUserDetailsAuthenticationProvider.

Next we need to :

1. Create bean of our custom Authentication Provider. It can be done in Resources.groovy by writing

[java] beans = {
} [/java]

2. Register bean of our custom AuthenticationProvider . It can be done in BootStrap.groovy by writing :

def init {



Override Logout

We have come to know three ways to do this :

1. In most of the cases, we can write our custom task in target (action of corresponding link i.e. Logout, for example ‘index’ action of ‘LogoutController’) then redirect flow to j_spring_security_logout.

2. Write own LogoutHandler class that extends LogoutHandler and override logout method. For reference we can see SecurityContextLogoutHandler.

Next we need to create bean and register same of our custom LogoutHandler as we did for our custom AuthenticationProvider. Do I need to say that this time we need to write “SpringSecurityUtils.registerLogoutHandler” instead of “SpringSecurityUtils.registerProvider”?   :-P.

3. If we need to be sure that we are making third party API call once Spring’s logout was completed successfully, we can write our own Session Timeout Listener. It can be done in two ways :

a) Implementing HttpSessionListener :


public class MySessionListener implements HttpSessionListener {
public void sessionDestroyed(HttpSessionEvent sessionEvent) {
/* Do whatever we want */

To see this listener working, we need to add this listener in servlet context. To do this, In BootStrap.groovy, add

[java] def init = { servletContext – >

b) Implementing ApplicationListener :

public class SessionTimeoutListener implements ApplicationListener<SessionDestroyedEvent> {
public void onApplicationEvent(SessionDestroyedEvent event) {
/*Do whatever we want to do. For example, To get Username of logged out user, we can write next block of code*/
SecurityContext lstSecurityContext = event.getSecurityContext();
UserDetails ud;
for (SecurityContext securityContext : lstSecurityContext) {
ud = (UserDetails) securityContext.getAuthentication().getPrincipal();
System.out.println("Username of logged out user :" + ud.username)
} [/java]

To see it working, we just need to create it’s bean in Resources.groovy (As we did for CustomAuthenticationProvider and CustomLogoutHandler above).

Hope this helps 🙂 If it doesn’t then let us help you with your use case. Comment your use case below.


comments (4)

  1. Shreyanka

    I am currently trying to authenticate the user against the AD server,
    using LDAP Spring security Plugin.
    When I see the traffic over network, my service clearly receives a successful bindResponse from the AD server.
    but my service displays “Sorry, you’re not authorized to view this page.”
    I need my application to redirect to a different URL in case the bind request is successful.
    Can you please suggest how should I be doing it.
    I am grails 3.3.0 and can not see any login/logout controller where can I do any configuration.

  2. Ali


    I would like to use this. Tired of trying to bind to AD using spring ldap plugin. I already have a working soap api and would love to wire it up as you have. Would it be possible to see full code?

    1. Aman Mishra

      Sure Ali. Most importantly, also share the exact purpose you are doing it for. So that I can relate it to your code and understand better.


Leave a Reply

Your email address will not be published. Required fields are marked *