How do I create a logout with Spring Security?

Question

I am trying to find a way just to setup a URL that will logout my user from the system. this is only for testing. Right now we are using the default login page in spring secuirty

here is my spring-secuirty.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
                        http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                        http://www.springframework.org/schema/security
                        http://www.springframework.org/schema/security/spring-security-3.1.xsd">


    <global-method-security pre-post-annotations="enabled" />

    <http use-expressions="true">
        <intercept-url access="hasRole('ROLE_VERIFIED_MEMBER')" pattern="/ask-union**" />
        <intercept-url access="hasRole('ROLE_VERIFIED_MEMBER')" pattern="/ask-welfare**" />
        <intercept-url pattern='/*' access='permitAll' />

        <form-login default-target-url="/ask-union" />

        <logout logout-success-url="/" />

        <session-management session-fixation-protection="newSession">
            <concurrency-control max-sessions="1"/>
        </session-management>

    </http>

    <authentication-manager>
        <authentication-provider>
            <user-service>
                <user name="xxxxx@aol.com.dev" password="testing" authorities="ROLE_VERIFIED_MEMBER" />
               ser-service>

        </authentication-provider>
    </authentication-manager>
</beans:beans>

Answer 1

Late to the party, but for future reference -- if you are interested in seeing how the security filters are instantiated and configured from XML, take a look at the following package:

org.springframework.security.config.annotation.web.configurers 

For the logout filter configuration, this will be the LogoutConfigurer class. If you review the LogoutConfigurer.createLogoutFilter() method, you'll see how the default Logout filter is created. This implies that you can do the following in an @Configuration class:

@Bean
public LogoutFilter logoutFilter() {
    // NOTE: See org.springframework.security.config.annotation.web.configurers.LogoutConfigurer 
    // for details on setting up a LogoutFilter
    SecurityContextLogoutHandler securityContextLogoutHandler = new SecurityContextLogoutHandler();
    securityContextLogoutHandler.setInvalidateHttpSession(true);

    LogoutFilter logoutFilter = new LogoutFilter("/", securityContextLogoutHandler);
    logoutFilter.setLogoutRequestMatcher(new AntPathRequestMatcher("/logout"));
    return logoutFilter;
}

If you have that, you can then either configure further by beans or have that bean picked up automatically since its method name is logoutFilter()

Answer 2

I am a bit late on this. But answer may help others.

Use following code. logout-success-url is the URL you want take user after logging out.

<http auto-config="true" use-expressions="true" access-denied-page="/denied">       
    <logout invalidate-session="true" logout-success-url="/landing" delete-cookies="JSESSIONID" />
</http>

Answer 3

Double-check the URL you're using -- the absolute path should be your-domain/projectPath/sign-out, per SJS's example. If the relevant portion of your spring-security.xml file looks like the following, it should work:

<http use-expressions="true">

. . .

    <logout
        logout-success-url="/"
        logout-url="/sign-out"/>

If you're able to authenticate, then simply browse to that path, and it should log you out. If it still doesn't try experimenting with the intermediary subdirectories specified in the URL, i.e. your-domain/projectPath/some-subdirectory/log-out.

Are you able to authenticate? It may not just be the logout aspect that's failing...

Answer 4

Add this line to your config

<logout logout-url="/sign-out"/>

Then if you have a link to that URL, then it will sign you out

(Add it just below your logout success config)