CODEWITHSUNDEEP
spring-security
vic
vic

Reputation: 2818

Spring Security 3.2 Can't Logout

I have a Spring Security java configuration

@Override
protected void configure(HttpSecurity http) throws Exception {

    http.
               ...
            .logout()
                .permitAll();
   }

And according to the document (http://docs.spring.io/spring-security/site/docs/3.2.0.RELEASE/reference/htmlsingle/), the logout URL is the same as the previous version as j_spring_security_logout (Interesting to know any other URLs in the login form have been changed). The URL doesn't work for me.

Anything missing?

Upvotes: 0

Views: 850

Answers (1)

rhinds
rhinds

Reputation: 10043

Using Spring 3.2 and Java Config, they have changed the default URLs/field names to prevent info leakage (people being able to work out you are running a spring app by looking at the field names/URLs - it touches upon the change briefly here (although this only mentions the username/password/etc - not explicitly the logout, but I assume it has been changed for the same reasoning): http://docs.spring.io/spring-security/site/docs/3.2.0.RELEASE/reference/htmlsingle/#jc-httpsecurity.

If you update your link to post to /logout it should work.

If you look at the source (click through the Java code config) of the classes you will see the logout() method called from your config is on HttpSecurity.class and that applies the class LogoutConfigurer.class - you can see here the default matcher that is now being applied :

public final class LogoutConfigurer<H extends HttpSecurityBuilder<H>> extends AbstractHttpConfigurer<LogoutConfigurer<H>,H> {
    private List<LogoutHandler> logoutHandlers = new ArrayList<LogoutHandler>();
    private SecurityContextLogoutHandler contextLogoutHandler = new SecurityContextLogoutHandler();
    private String logoutSuccessUrl = "/login?logout";
    private LogoutSuccessHandler logoutSuccessHandler;
    private RequestMatcher logoutRequestMatcher = new AntPathRequestMatcher("/logout", "POST");

(also worth noting, the POST method - plus, if you have not disabled CSRF protection, then you will need to provide the CSRF field as well - as for any post)

Upvotes: 2

Related Questions