1

I am trying to implement logout for site with basic authentication with spring boot. The below solution works only for chrome not working in firefox

@EnableGlobalMethodSecurity(prePostEnabled = true)
@EnableWebSecurity
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private UserDetailsService userDetailsService;

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
        .antMatcher("/**")
        .authorizeRequests()
            .antMatchers("/js/**", "/fonts/**", "/css/**", "/images/**", "/againlogin**")
            .permitAll()  
        .anyRequest()
            .fullyAuthenticated()
        .and().httpBasic()
        .and().csrf().disable();
    }


}

From html I trigger ajax call for logout

<a href="javascript:logoutUser()">Logout</a>

In Javascript

   function logoutUser() {
    ClearAuthentication("/againlogin.html");    
}

function ClearAuthentication(LogOffPage) 
{
   var IsInternetExplorer = false;    

   try
   {
       var agt=navigator.userAgent.toLowerCase();
       if (agt.indexOf("msie") != -1) { IsInternetExplorer = true; }
   }
   catch(e)
   {
       IsInternetExplorer = false;    
   };

   if (IsInternetExplorer) 
   {
      // Logoff Internet Explorer
      document.execCommand("ClearAuthenticationCache");
      window.location = LogOffPage;
   }
   else 
   {
      // Logoff every other browsers
  $.ajax({
       username: 'unknown',
       password: 'WrongPassword',
           url: '/logout',
       type: 'GET',
       beforeSend: function(xhr)
               {
          xhr.setRequestHeader("Authorization", "Basic AAAAAAAAAAAAAAAAAAA=");
       },

               error: function(err)
               {
                  window.location = LogOffPage;
           }
  });
   }
}

I am not getting logged out.

Can some help me fix this issue

Patan
  • 17,073
  • 36
  • 124
  • 198
  • 1
    You cannot logout with basic authentication. With HTTP Basic as soon as you are successfully authenticated the browser sends the credentials with each request. Each time you do a request you basically login again. – M. Deinum May 18 '16 at 09:59
  • 1
    Also see http://stackoverflow.com/questions/233507/how-to-log-out-user-from-web-site-using-basic-authentication for more information on the why (and potential how). – M. Deinum May 18 '16 at 10:05
  • @M.Deinum. Thanks. I implemented the solution as edited in question. This seems to work in chrome not in firefox. Would be great if you can help – Patan May 18 '16 at 10:35
  • 1
    As mentioned basic authentication is designed to work like that. The "solution" might work on some browsers not on others. The "solution" is basically a hack/workaround/trick. In essence http basic authentication isn't meant/designed to deal with logout. – M. Deinum May 18 '16 at 15:27
  • @M.Deinum.. Thank you – Patan May 19 '16 at 05:52

0 Answers0