0

I am moving from Spring Security 3.2 to 4.1, and I (still) use xml configuration.

It seems that using the <logout /> element does not allow setting the http method to GET.

Is this true?

If, yes, does it mean I have to create a Controller mapping to "/logout" and log out programmatically from there?

yglodt
  • 13,807
  • 14
  • 91
  • 127
  • You shouldn't use `GET` to modify (session) state. That breaks all kinds of security guidelines. (and maybe your application: http://stackoverflow.com/a/14587231/995891 ) – zapl Jun 02 '16 at 08:18
  • I went for POST now, with JavaScript. Thanks for the information. – yglodt Jun 02 '16 at 09:41

1 Answers1

0

Due to legacy reasons, I have to use GET for my LogOutFilter and XML config. The below works. Note I don't recommend working around the csrf protection but I've had to.

This might help others.

    <b:bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
    <b:constructor-arg name="logoutSuccessUrl" value="/loggedOut" />
    <b:constructor-arg name="handlers">
        <b:list>
            <b:bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/>
        </b:list>
    </b:constructor-arg>
    <b:property name="logoutRequestMatcher">
        <b:bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
            <b:constructor-arg name="pattern" value="/logout*"/>
            <b:constructor-arg name="httpMethod" value="GET"/>
        </b:bean>
    </b:property>
</b:bean>

Remember to put the custom filter in the element

<custom-filter before="CSRF_FILTER" ref="logoutFilter" />

The key thing here is that you register your own logoutRequestMatcher

Joel
  • 689
  • 2
  • 10
  • 15