CODEWITHSUNDEEP
javaspringspring-mvccookiesspring-security
Wojciech Kumoń
Wojciech Kumoń

Reputation: 325

Spring Security remember me logout issue

I have a problem with remember me. I've implemented it using PersistentTokenRepository. Everything works except logout.

After login, new record in DB is created, user has remember-me cookie.

After deleting session cookie, user obtains new cookie, old record in DB is updated.

After /logout, logout method is not invoked (from PersistentTokenBasedRememberMeServices, I checked it by extending class and logging). How to add it to logout filter or sth like this? I checked source and logout method invokes removing record from DB and deletes cookie, so I only need to invoke it. I am using java config.

Security:

http.csrf();
http.authorizeRequests().antMatchers("/").permitAll().antMatchers("/test").hasRole("USER")
    .antMatchers("/made/administration/**").hasRole("ADMIN");
http.formLogin().loginPage("/login").usernameParameter("email").passwordParameter("password");
http.logout().logoutUrl("/logout").logoutSuccessUrl("/login?logout");
http.exceptionHandling().accessDeniedPage("/access-denied");
http.rememberMe().tokenRepository(persistentTokenRepository)
    .tokenValiditySeconds(rememberMeValidSeconds);

Upvotes: 1

Views: 1981

Answers (1)

Wojciech Kumoń
Wojciech Kumoń

Reputation: 325

Problem solved. I had to change controller and because I'm using csrf - logout by POST (not GET).

So I removed:

@RequestMapping(value = "/logout", method = RequestMethod.GET)
public String logoutPage(HttpServletRequest request, HttpServletResponse response) {
  Authentication auth = SecurityContextHolder.getContext().getAuthentication();
  if (auth != null) {
    new SecurityContextLogoutHandler().logout(request, response, auth);
  }
  return "redirect:/login?logout";
}

And added form to POST /logout

Upvotes: 1

Related Questions