Spring security: activating csrf disables /logout

Question

I'm trying to enable csrf protection, but for the login page only. I added the following spring security configuration (the <http> tag already existed)

<http ... >
  <sec:csrf request-matcher-ref="myBean" />
  ...
</http>

<bean id="myBean" class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
  <constructor-arg name="pattern" value="/login"/>
  <constructor-arg name="httpMethod" value="POST"/>
</bean>

The login page now indeed has csrf protection. However for a strange reason, /logout now gives a 404 error. In fact, if I replace /login with /foobar, I still have a 404 error on /logout. But if I add disabled="true" in the <sec:csrf/> tag, it works again.

Any idea why ?

Thanks

Answer 1

If csrf is enabled, a POST request performs the log out, as said in this question. Maybe this (Logout is not working in Spring Security) can help.

In https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#servlet-considerations-csrf-logout it is said that:

If CSRF protection is enabled (default), Spring Security’s LogoutFilter to only process HTTP POST. This ensures that log out requires a CSRF token and that a malicious user cannot forcibly log out your users. The easiest approach is to use a form to log out. If you really want a link, you can use JavaScript to have the link perform a POST (i.e. maybe on a hidden form). For browsers with JavaScript that is disabled, you can optionally have the link take the user to a log out confirmation page that will perform the POST.

In this section it is also explained how to perform HTTP GET request to log out, although it is not generally recommended.