Spring Security logout issues

Question

My app serves both web pages and rest endpoints (Spring boot + Spring 4)

I'm trying to set a basic InMemoryAuth, but /logout does not work.

From browser, it redirects to /login?logout with a 404 and no effect to user session.

@EnableWebSecurity
@Configuration
class WebSecurityConfig extends WebSecurityConfigurerAdapter {


  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http
      .authorizeRequests()
        .antMatchers("/rest/**").hasRole("USER")
        .antMatchers("/ui/**").hasRole("USER")
      .and().logout()
            .logoutUrl("/logout")
      .and().httpBasic()
      .and().csrf().disable();
  }

  @Autowired
  public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
          auth
            .inMemoryAuthentication()
            .withUser("user").password("pass").roles("USER");
  }
}

EDIT

with the followind chain

http
  .authorizeRequests().anyRequest().authenticated()
  .and().logout().logoutUrl("/logout").logoutSuccessUrl("/").permitAll()
  .and().httpBasic()
  .and().csrf().disable();

and a root page defined, no 404 error.

With debug enabled, I'm able to see

Logging out user 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@442b5a9f: Principal: org.springframework.security.core.userdetails.User@36ebcb: Username: user; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_USER' and transferring to logout destination
Invalidating session: B264148444D372CFC899A5B920818B68

but the browser does not ask user/passwd anymore, i'm able to access all urls..

Answer 1

The Default Success Url for Logout is /login?logout. Since you don't have formLogin() configured so that you will be having a /login that is why you get a 404. you better change logout().logoutSuccessUrl("/") so that it will redirect to root.

UPDATE

Answering for the EDIT section of the question. You have HTTP Basic enabled with following

httpBasic()

Which means Once you enter username and password in the popup which Browser gives the Browser will be sending the following Header for all the requests you make to your Spring Security Protected Site.

Authorization: Basic base64(username+":"+password)

That is why you can access all the URLs. It will keep on Login the User In with Each Request if Not Already Logged In. Sadly there is no fix for this at the moment. This is according to Wikipedia.

Existing browsers retain authentication information until the tab or browser is closed or the user clears the history. [1] HTTP does not provide a method for a server to direct clients to discard these cached credentials. This means that there is no effective way for a server to "log out" the user without closing the browser. This is a significant defect that requires browser manufacturers to support a 'logout' user interface element (mentioned in RFC 1945, but not implemented by most browsers) or API available to JavaScript, further extensions to HTTP, or use of existing alternative techniques such as retrieving the page over SSL/TLS with an unguessable string in the URL.