CODEWITHSUNDEEP
javaspring-bootspring-security
simbro
simbro

Reputation: 3672

Spring Boot + Spring Security - unable to log out

I have a REST API built with Spring Boot and Spring Security. I have read from the docs that Spring Security defaults to logging the current user out when they request /logout. However, I can't seem to get this to work.

This is my security configuration:

@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Configuration
class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .anyRequest().fullyAuthenticated()
                .and()
            .httpBasic()
                .and()
            .csrf().disable();
    } 
}

However, when I make a request to /logout, I receive the following error:

{
    "timestamp": 1485096094269,
    "status": 404,
    "error": "Not Found",
    "message": "No message available",
    "path": "/login"
}

Upvotes: 3

Views: 7239

Answers (2)

JUAN CALVOPINA M
JUAN CALVOPINA M

Reputation: 3965

Maybe it's a little late to answer this question, but anyone can be useful.

In the configure() method is missing the logout() invocation, for example:

http.authorizeRequests()
        .anyRequest().fullyAuthenticated()
        .and()
        .httpBasic()
        .and()
    .logout() // This is missing and is important
        .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
        .logoutSuccessUrl("/login");

Also you can configure your own login page:

http.authorizeRequests()
        // this allows the root and resources to be available without logging in
        .antMatchers("/", "/resources/**").permitAll()
        // any other type of request will need the credentials
        .anyRequest().authenticated()
        .and()
    // uses the custom login form
    .formLogin()
        .loginPage("/login")
        .defaultSuccessUrl("/home") // redirect to home page
        .failureUrl("/login?error") // redirect to error page
        .permitAll()
        .and()
    // logout and redirect to login page
    .logout()
        .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
        .logoutSuccessUrl("/login");

Upvotes: 8

user1767316
user1767316

Reputation: 3641

If using AngularJS check you use withHttpOnlyFalse()

.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())

https://stackoverflow.com/a/43204307/1767316

Upvotes: 0

Related Questions