2

I use spring 4.1.6.RELEASE and spring-security 4.0.1.RELEASE I have the following configuration 

<http auto-config="false" entry-point-ref="customAuthenticationEntryPoint"  create-session="ifRequired" >
        <intercept-url pattern="/**" access="hasAuthority('Admin')" />
        <custom-filter before="BASIC_AUTH_FILTER"  ref="loginTokenFilter" />
        <logout logout-url="/logout" success-handler-ref="logoutSuccessHandler" />
        <access-denied-handler error-page="/noaccess.html"/>
        <headers>
            <frame-options policy="SAMEORIGIN" />
        </headers>
    </http>

And my logout success handler is 

@Component("logoutSuccessHandler")
    public class MyLogoutSuccessHandler implements LogoutSuccessHandler {

    private static final Logger logger = LoggerFactory.getLogger(MyLogoutSuccessHandler.class);

    private final MyRedirectHandler redirectHandler;

    @Autowired
    public MyLogoutSuccessHandler(
            MyRedirectHandler redirectHandler) {
        this.redirectHandler = redirectHandler;
    }


    @Override
    public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
        if (response.isCommitted()) {
            logger.debug("Won't redirect");
            return;
        }

        redirectHandler.redirectToLogin(request, response, true);
    }
}

Login is working great, but logout is not. I put a breakpoint into MyLogoutSuccessHandler.onLogoutSuccess() and called http://localhost:8080/myapp/logout from browser. The success-handler wasn't called.

Am I doing something wrong? Should I provide specific @RequestMapping for "/logout" path?

in web.xml I have the following 

<filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
me1111
  • 1,127
  • 3
  • 26
  • 38
  • 1
    is CSRF on? You need to POST the logout form if it is... – Neil McGuigan Aug 26 '15 at 08:05
  • not familiar with CSRF so can not tell for sure... regarding POST, I am currently sending only a GET request. If POST is needed, should there be any specific data in POST body too? – me1111 Aug 26 '15 at 08:18

1 Answers1

3

By default Spring security enables CSRF and logout MUST be a POST request as it expects a csrf token. Check the Spring CSRF documentation.. Another similar SO question

You can switchoff CSRF like this in your config if you want logout to work with a GET request..

<http auto-config="false">
        <csrf disabled="true"/>

if you dont want to switchoff CSRF, you must POST logout like this 

<c:url var="logoutUrl" value="/logout"/>
<form action="${logoutUrl}" method="post">
  <input type="submit" value="Log out" />
  <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
Community
  • 1
  • 1
Anudeep Gade
  • 1,365
  • 1
  • 9
  • 18