Spring Web Security logout not working with httpBasic authentication

Question

I'm using basic authentication to secure an initial REST web service that I'm working on. Everything seems to work okay, except the logout path does not seem to work. It redirects to "/login?logout", as documented, but my user does not seem to actually be logged out. (ie. I can still access page X and not page Y as expected).

Application config:

@Configuration
@ComponentScan
@EnableAutoConfiguration(exclude = ManagementSecurityAutoConfiguration.class)
@EnableWebSecurity
@EnableSwagger
public class Application {

    public static void main(String[] args) {
        SpringApplication.run(Application.class, args);
    }

    @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
    @Configuration
    protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter {
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.httpBasic()
            .and().authorizeRequests().antMatchers("/manage/**").hasRole("ADMIN")
            .anyRequest().fullyAuthenticated()
            .and().logout().permitAll().logoutRequestMatcher(new AntPathRequestMatcher("/logout", HttpMethod.GET.toString())).invalidateHttpSession(true);
        }

        @Override
        protected void configure(AuthenticationManagerBuilder auth) throws Exception {
            auth.inMemoryAuthentication().withUser("admin").password("admin").roles("ADMIN", "USER").and().withUser("user").password("user").roles("USER");
        }
    }
}

Please note that security in general looks to be working. I can open a new incognito tab and the authentication / security works as expected.

Do you test with a browser ? Are you sure it is not caching credentials and reuses them "behind your back" ? You should check request/response roundtrips to make sure. — GPI, Aug 07 '14 at 20:54
I don't think that's happening. I've disabled caching at the moment, and in the logs it seems as if the session was even cleared when I access a "USER" secured path: `2014-08-07 16:58:36.931 INFO 2132 --- [nio-8080-exec-2] o.s.b.a.audit.listener.AuditListener : AuditEvent [timestamp=Thu Aug 07 16:58:36 EDT 2014, principal=user, type=AUTHENTICATION_SUCCESS, data={details=org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null}]` — bvulaj, Aug 07 '14 at 21:00
If it matters, logout **does** work when utilized with formLogin()... Am I misunderstanding how the logout path is supposed to work? — bvulaj, Aug 07 '14 at 21:19
As GPI says, you should check your browser isn't re-sending the credentials automatically, which is common with basic auth and independent of any concept of server-side logout. Also enable debug logging on the server. — Shaun the Sheep, Aug 07 '14 at 23:23
As @LukeTaylor mentioned in general logout doesn't work with basic/digest authentication. Afaik once authenticated the browser keeps sending the headers to the application which effectifly will do a new login once you logged out. — M. Deinum, Aug 08 '14 at 06:14

score 4 · Accepted Answer · edited May 23 '17 at 10:30

4

You cannot logout from basic http authentication with a logout link.

Please check a similar thread here.

edited May 23 '17 at 10:30

Community

1
1

answered Aug 26 '14 at 11:15

Sezin Karli

2,517
19
24

Spring Web Security logout not working with httpBasic authentication

1 Answers1