0

For this Spring Boot application I'm writing I implemented Spring Security, logging in works, only the logout feature doesn't wanna log me out.. Although it does redirect me to the logoutSuccessURL it doesn't clear the SecurityContext I believe..

@Configuration
@EnableWebSecurity
public class SpringSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/bower_components/**").permitAll()
                .antMatchers("/index.html", "/").permitAll()
                .antMatchers("/#/overview").hasAnyRole("ROLE_ADMIN")
                .anyRequest().authenticated()
            .and()
                .formLogin()
                    .loginPage("/")
                    .loginProcessingUrl("/authenticate")
                    .usernameParameter("username").passwordParameter("password")
                    .defaultSuccessUrl("/#/overview")
                    .successHandler(new LoginSuccessHandler(new SavedRequestAwareAuthenticationSuccessHandler()))
                    .failureHandler(new LoginFailureHandler())
                    .permitAll()
            .and()
                .logout()
                    .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
                    .logoutSuccessUrl("/#/login?yes").deleteCookies("JSESSIONID")
                    .invalidateHttpSession(true) 
                    .permitAll()
            .and()
                .exceptionHandling().accessDeniedPage("/#/access_denied?error")
            .and()
                .httpBasic()
            .and()
                .csrf().disable();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().withUser("joeri").password("joeri").roles("USER");
    }
}

Main Method

@SpringBootApplication
public class MyApp {

    public static void main(String[] args) {
        SpringApplication.run(MyApp.class, args);
    }
}

Login Handlers

public class LoginFailureHandler implements AuthenticationFailureHandler {

    @Override
    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
            AuthenticationException ex) throws IOException, ServletException {

        System.out.println("made it here failure" + ex.getMessage());
        if ("true".equals(request.getHeader("X-Login-Ajax-call"))) {
            response.getWriter().print("{\"status\": " + HttpStatus.BAD_REQUEST.value()
                    + ", \"success\" : false, \"message\" : \"" + ex.getMessage() + "\"}");
            response.getWriter().flush();
        }
    }
}

Success handler

public class LoginSuccessHandler implements AuthenticationSuccessHandler {
    private AuthenticationSuccessHandler defaultHandler;

    public LoginSuccessHandler(AuthenticationSuccessHandler defaultHandler) {
        this.defaultHandler = defaultHandler;
    }

    @Override
    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication auth)
            throws IOException, ServletException {
        System.out.println("made it here, success");
        if ("true".equals(request.getHeader("X-Login-Ajax-call"))) {
            response.getWriter().print("{\"status\": " + HttpStatus.OK.value()
                    + ", \"success\" : true, \"message\" : \"Authentication Succesful\"}");
            response.getWriter().flush();
        } else {
            defaultHandler.onAuthenticationSuccess(request, response, auth);
        }

    }

}

Angular Code:

$scope.preparePostData = function() {
    var username = $scope.username != undefined ? $scope.username : '';
    var password = $scope.password != undefined ? $scope.password : '';

    return 'username=' + username + '&password=' + password;
}

$scope.login = function() {
    var postData = $scope.preparePostData();
    $http({
        method : 'POST',
        url : 'authenticate',
        data : postData,
        headers : {
            "Content-Type" : "application/x-www-form-urlencoded",
            "X-Login-Ajax-call" : 'true'
        }
    }).then(function(response) {
        if (response.status == 200) {
            if (response.data.status == 200) {
                $state.go('overview');
            } else {
                $scope.error_message = "Bad login credentials";
            }
        }
    })
}

$scope.logout = function() {
    $http({
        method : 'POST',
        url : 'logout',
        headers : {
            "Content-Type" : "application/x-www-form-urlencoded",
            "X-Logout-Ajax-call" : 'true'
        }
    }).then(function(response) {
        console.log(response);
        if (response.status == 200) {
            console.log(response);
            $state.go('login');
        } else {
            console.log("Logout failed!");
        }
    })
}

I'm missing something.. I can't see what though. If someone could point me towards the right direction, that would be awesome.

Joeri Boons
  • 79
  • 2
  • 8
  • You cannot logout with HTTP Basic authentication. Each request contains the username/password and hence you basically login at each request. If you want to logout you would also have to reset your browser which isn't possible... – M. Deinum Jun 28 '16 at 09:02
  • How would I go about fixing this? Do I start over with something else? Any directions I should take a look at? – Joeri Boons Jun 28 '16 at 09:08

0 Answers0