Reputation: 6273
Spring Security: Logout Isn't working - "requested resource not available"
So, I'm trying to get my first ever practice application with Spring Security working. It's just a simple test to try and see if I can just get the basics working, before moving on to more complex implementations.
I'm using Spring Security 4 btw, with Spring 4.2.2.
Right now, I have a welcome page and an admin page. Trying to access the admin page is intercepted and redirected to the default Spring Security login form. From there, I can login and be authenticated to access the admin page.
On the admin page, I have a logout link. This is where it goes wrong. I have two logout links right now, for two different methods I've tried of making this work.
The first is a simple URL. It uses the tag, and within it is the JSTL tag. I'm trying to call the logout URL there. When I do, I get an HTTP Status 404 page with a description saying The requested resource is not available.
The second way is with a form. I try having a submit button in a form, with the form's action attribute set to the logout URL and the method set to post.
This one gives me a more complex error, which I'll copy and paste here:
Title: HTTP Status 403 - Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.
Type: Status report
Message: Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.
Description: Access to the specified resource has been forbidden.
The url of the error page in both cases, btw, is localhost:8080/spring-security/logout. spring-security being the name of this test app.
So, I'm a bit lost. This is my first time working with Spring Security, and I really don't know what I'm doing wrong. Any help would be appreciated.
Below I'm pasting my admin.jsp page and my spring-security.xml page.
Thanks in advance.
admin.jsp page:
<%@ page session="true" %>
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<!DOCTYPE html>
<html>
<head>
<%@ include file="jstl-stub.jsp" %> <!-- Include links to JSTL Libraries -->
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Admin Page</title>
</head>
<body>
<h1>Title: ${title}</h1>
<h1>Message: ${message}</h1>
<c:if test="${pageContext.request.userPrincipal.name != null}">
<h2>Welcome: ${pageContext.request.userPrincipal.name}
| <a href="<c:url value="/logout"/>">Logout</a></h2>
<br><br>
<form action="logout" method="post">
<input type="submit" value="logout"/>
</form>
</c:if>
</body>
</html>
spring-security.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.2.xsd">
<security:http auto-config="true">
<security:intercept-url pattern="/admin" access="hasRole('ROLE_USER')"/>
<security:logout logout-url="/logout" logout-success-url="/welcome"/>
</security:http>
<security:authentication-manager>
<security:authentication-provider >
<security:user-service>
<security:user name="user" password="password" authorities="ROLE_USER"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans:beans>
Upvotes: 0
Views: 2003
Answers (2)
Reputation: 849
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
// other code ...
}
disable the csrf will work for you. and allow you to call /logout by get method .
Upvotes: 1
Reputation: 953
I think the second problem is with your post method. I saw that you are using security 4.0, and 4.0 is enabled csrf protection by default. If you do not want to have this, you have to disable it.
As of Spring Security 4.0, CSRF protection is enabled by default with XML configuration. If you would like to disable CSRF protection, the corresponding XML configuration can be seen below.
<http> <!-- ... --> <csrf disabled="true"/> </http>
See below link http://docs.spring.io/spring-security/site/docs/4.0.x/reference/htmlsingle/#csrf-configure
But if you want to add csrf protection, you need to add header to the post method.
This tutorial may help you.
Upvotes: 1
Related Questions
- Spring Security logout does not work - does not clear security context and authenticated user still exists
- Spring logout access denied
- Spring Security - logout and access control not working
- Issue with Spring security's logout
- spring authentication: can't logout
- spring security logout not hitting success-handler-ref
- Spring logout gives 404 error
- Spring Security: Not able to logout/invalidate session
- Logout in Spring Security does not work
- spring security j_spring_security logout problem