Reputation: 2008
Spring Security logout issues
My app serves both web pages and rest endpoints (Spring boot + Spring 4)
I'm trying to set a basic InMemoryAuth, but /logout does not work.
From browser, it redirects to /login?logout with a 404 and no effect to user session.
@EnableWebSecurity
@Configuration
class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/rest/**").hasRole("USER")
.antMatchers("/ui/**").hasRole("USER")
.and().logout()
.logoutUrl("/logout")
.and().httpBasic()
.and().csrf().disable();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("pass").roles("USER");
}
}
EDIT
with the followind chain
http
.authorizeRequests().anyRequest().authenticated()
.and().logout().logoutUrl("/logout").logoutSuccessUrl("/").permitAll()
.and().httpBasic()
.and().csrf().disable();
and a root page defined, no 404 error.
With debug enabled, I'm able to see
Logging out user 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@442b5a9f: Principal: org.springframework.security.core.userdetails.User@36ebcb: Username: user; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_USER' and transferring to logout destination
Invalidating session: B264148444D372CFC899A5B920818B68
but the browser does not ask user/passwd anymore, i'm able to access all urls..
Upvotes: 2
Views: 2356
Answers (1)
Reputation: 21883
The Default Success Url for Logout is /login?logout. Since you don't have formLogin() configured so that you will be having a /login that is why you get a 404. you better change logout().logoutSuccessUrl("/") so that it will redirect to root.
UPDATE
Answering for the EDIT section of the question. You have HTTP Basic enabled with following
httpBasic()
Which means Once you enter username and password in the popup which Browser gives the Browser will be sending the following Header for all the requests you make to your Spring Security Protected Site.
Authorization: Basic base64(username+":"+password)
That is why you can access all the URLs. It will keep on Login the User In with Each Request if Not Already Logged In. Sadly there is no fix for this at the moment. This is according to Wikipedia.
Existing browsers retain authentication information until the tab or browser is closed or the user clears the history. [1] HTTP does not provide a method for a server to direct clients to discard these cached credentials. This means that there is no effective way for a server to "log out" the user without closing the browser. This is a significant defect that requires browser manufacturers to support a 'logout' user interface element (mentioned in RFC 1945, but not implemented by most browsers) or API available to JavaScript, further extensions to HTTP, or use of existing alternative techniques such as retrieving the page over SSL/TLS with an unguessable string in the URL.
Upvotes: 3
Related Questions
- Java Spring cannot logout properly
- Spring security logout handling
- Logout is not working in Spring Security
- Issue with Spring security's logout
- Logout with Spring Security with Java configuration
- spring authentication: can't logout
- Logout through spring-security code
- Spring security login/ logout issue
- Spring Security Log Out Exception
- spring security j_spring_security logout problem