Reputation: 853
Spring logout access denied
I'm using Spring Security, trying to set up basic login\logout functionality. Login works ok, I store users in MySQL DB, and I'm able to log in, but I have problem with logging out. On home page I made a logout link, looking like this, but when I click it I get 403 Access denied, and user doesn't get logged out:
<a href="<c:url value="j_spring_security_logout" />" > Logout</a>
And here is my security-context.xml:
<security:authentication-manager>
<security:authentication-provider>
<security:jdbc-user-service data-source-ref="dataSource" />
</security:authentication-provider>
</security:authentication-manager>
<security:http use-expressions="true">
<security:intercept-url pattern="/static/**" access="permitAll" />
<security:intercept-url pattern="/loggedout" access="permitAll" />
<security:intercept-url pattern="/login" access="permitAll" />
<security:intercept-url pattern="/createoffer" access="isAuthenticated()" />
<security:intercept-url pattern="/docreate" access="isAuthenticated()" />
<security:intercept-url pattern="/offercreated" access="isAuthenticated()" />
<security:intercept-url pattern="/newaccount" access="permitAll" />
<security:intercept-url pattern="/createaccount" access="permitAll" />
<security:intercept-url pattern="/accountcreated" access="permitAll" />
<security:intercept-url pattern="/" access="permitAll" />
<security:intercept-url pattern="/offers" access="permitAll" />
<security:intercept-url pattern="/**" access="denyAll" />
<security:logout logout-success-url="/loggedout"/>
<security:form-login login-page="/login"
authentication-failure-url="/login?error=true" />
</security:http>
And /loggedout is mapped to basic .jsp page, just saying "You have logged out."
Also, when I click logout link when I'm not logged in, it takes me to the login page.
What am I doing wrong?
Upvotes: 2
Views: 1644
Answers (3)
Reputation: 95
Add this under the <security:http use-expressions="true"> section:
<security:csrf disabled="true"/>
Worked for me.
Upvotes: 0
Reputation: 853
I just added the logout-url="/j_spring_security_logout"
to the security:logout and it is working as it should now.. But I thought it would work even without this parameter if I use /j_spring_security_logout as logout link.
Upvotes: 0
Reputation: 24472
Add this as the first rule in the <security:http use-expressions="true"> section:
<security:intercept-url pattern="/j_spring_security_logout" access="permitAll" />
Upvotes: 1
Related Questions
- Spring security logoutSuccessUrl to login?logout seems to be protected although login page permitted to all
- Spring Security: Logout Isn't working - "requested resource not available"
- Spring Security logout issues
- Spring security - unable to logout
- Spring Security - logout and access control not working
- spring authentication: can't logout
- Spring logout gives 404 error
- Spring security logout call
- Spring Security: Not able to logout/invalidate session
- spring security j_spring_security logout problem