Spring Security 3.2: Can't logout

Question

I'm new to spring security with java configuration. What I'm trying to achieve is the following: My app is using jsp; I have a custom login form called /login.jsp.

I have defined httpsecurity as:

@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().authenticate d().and().formLogin()
.loginPage("/login.jsp").permitAll().and().logout().permitAll() ;
}

Logging in works fine, urls are properly intercepted, the login form is presented and upon successful login, I access the app page.

The problem is with the logout process; I have included a link in my jsp for logout:

<li><a href="${pageContext.request.contextPath}/logout"
title="Logout"><span class="glyphicon glyphicon-log-out"></span></a></li>

but when I click the link, I get a 404 error because there is no such page /logout

I have tried specifying the link as:

<li><a href="${pageContext.request.contextPath}/login.jsp?logout=0"
title="Logout"><span class="glyphicon glyphicon-log-out"></span></a></li>

but although it displays the login page with the 'you have been logged out', I can still access the app pages;

So I'm wondering what value I should set in the logout link and what the corresponding settings should be in the HttpSecurity configuration, knowing that what I want to achieve is that when a user clicks the logout link, he is logged out and redirected to the login page with the message 'you have been logged out'.

Best regards

Jean-Noël

Answer 1

You need to specify the logout url in your configuration e.g.

.logoutUrl("/logout")

Without setting this Spring Security will default to /j_spring_security_logout.