5

I am experimenting with Spring Security 3.2.0.RC2 using javaconfig and it appears that the logout url is POST only. Is this by design and is there any way to make it logout a user with a GET request?

protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
        .antMatchers("/resources/**", "/signup", "/about", "/password").permitAll()                  
        .antMatchers("/admin/**").hasRole("ADMIN")
            .anyRequest().authenticated().and()
        .formLogin()
            .loginPage("/login")
            .permitAll();        
}
NA.
  • 6,451
  • 9
  • 36
  • 36

1 Answers1

18

This is intentional and is documented within the CSRF documentation. The reason is to prevent CSRF attacks that forcibly log users out of your application. If you would like to support non-POST requests you can do so with the following Java Configuration:

protected void configure(HttpSecurity http) throws Exception {
  http
    // ...
    .logout()
       .logoutRequestMatcher(new AntPathRequestMatcher("/logout"));
}

You can also find information about configuring log out on the Javadoc of the LogoutConfigurer (i.e. the object returned by the http.logout() method).

Alex
  • 8,093
  • 6
  • 49
  • 79
Rob Winch
  • 21,440
  • 2
  • 59
  • 76
  • Thanks, almost embarrassing with the answer so clearly documented. – NA. Dec 04 '13 at 13:40
  • 2
    No problem...in all fairness to yourself I did update the documentation with the example of how to support non-POST logout after seeing the question (although the rest of it including the javadoc example was there previously) – Rob Winch Dec 04 '13 at 14:49
  • How would I do that w/ xml configuration? – dpham May 26 '14 at 06:59
  • 1
    You would use tag to insert an instance of the LogoutFilter – Rob Winch May 27 '14 at 14:27