Class LogoutHandler

java.lang.Object
org.codelibs.fess.api.v2.handlers.LogoutHandler

public class LogoutHandler extends Object
Handles POST /api/v2/auth/logout.

The endpoint is idempotent — calling it without a session still returns {"ok": true} so SPAs can fire-and-forget on tab close. When a session does exist it is invalidated; the CSRF token need not be rotated explicitly because session.invalidate() discards the entire session including all CSRF state.

IllegalStateException from session.invalidate() is silently swallowed: TypicalLoginAssist.logout() may already have invalidated the session internally, and the contract is "idempotent ok".

  • Constructor Summary

    Constructors
    Constructor
    Description
    Default constructor.
  • Method Summary

    Modifier and Type
    Method
    Description
    void
    handle(jakarta.servlet.http.HttpServletRequest req, jakarta.servlet.http.HttpServletResponse res)
    Processes one /api/v2/auth/logout POST request.

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
  • Constructor Details

    • LogoutHandler

      public LogoutHandler()
      Default constructor. The handler is stateless and intended to be instantiated once by the API manager and shared across concurrent requests.
  • Method Details

    • handle

      public void handle(jakarta.servlet.http.HttpServletRequest req, jakarta.servlet.http.HttpServletResponse res) throws IOException
      Processes one /api/v2/auth/logout POST request.

      Invokes TypicalLoginAssist.logout() (swallowing failures so the call remains idempotent) and then invalidates the underlying HttpSession when one exists. Rejects non-POST methods with V2ErrorCode.METHOD_NOT_ALLOWED; otherwise always writes a success envelope of {"ok": true}.

      Parameters:
      req - the incoming HTTP request
      res - the HTTP response to write to
      Throws:
      IOException - if writing the envelope fails