How to log out with spring security basic auth?

Question

Someone can say that this is a duplicate question but I have looked through a lot of answers, tried a bunch of methods but can not understand what I have missed.

I use very basic Spring Security in my REST server. When I first time make a request to my server directly from a browser to localhost:.../getData I am of course asked to authorize.

Then the server permits this request every time. How I can logout so that the next requests require an authorization again?

Now I tried to use several methods on my server for logout:

@RequestMapping(value = "/logoutMe2", method = RequestMethod.GET)
public void logout2() {

    SecurityContextHolder.getContext().setAuthentication(null);

}

@RequestMapping(value = "/logoutMe3", method = RequestMethod.GET)
public void logout3() {

    SecurityContextHolder.clearContext();

}


@RequestMapping(value = "/logoutMe", method = RequestMethod.GET)
public void logout(HttpServletRequest rq, HttpServletResponse rs) {

    SecurityContextLogoutHandler securityContextLogoutHandler =
            new SecurityContextLogoutHandler();
    securityContextLogoutHandler.logout(rq, rs, null);

}

@RequestMapping(value = "/logoutMe4", method = RequestMethod.GET)
public static void myLogoff(HttpServletRequest request, HttpServletResponse response) {
    CookieClearingLogoutHandler cookieClearingLogoutHandler = new CookieClearingLogoutHandler(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
    SecurityContextLogoutHandler securityContextLogoutHandler = new SecurityContextLogoutHandler();
    cookieClearingLogoutHandler.logout(request, response, null);
    securityContextLogoutHandler.logout(request, response, null);
}

If I use direct link

http://localhost:.../j_spring_security_logout

I receive a Not Found error.

What I am missing? It seems that I have forget some obvious thing...

Answer 1

EDIT: As others have pointed out, the problem OP is having is due to BasicAuth header. The answer below won't address the problem.

=====

Spring security by default provides a URL /logout.

You can configure a different URL by using WebSecurityConfigurerAdapter like so:

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    protected void configure(HttpSecurity http) throws Exception {
        http
            .logout()                                                                
            .logoutUrl("/my/logout")                                                 
            .logoutSuccessUrl("/my/index")                                           
            .logoutSuccessHandler(logoutSuccessHandler)                              
            .invalidateHttpSession(true)                                             
            .addLogoutHandler(logoutHandler)                                         
            .deleteCookies(cookieNamesToClear)                                       
            .and()
            ...
    }
}

The above was java configuration. If you are using xml namespace configs, it will be something similar to below:

<security:http>
        ...
        <security:logout logout-url="/app/logout" />
        ...
</security:http>

More information can be found in the below links:

• Logout handling for Java Configs: https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#jc-logout
• Logout handling for Xml namespace Configs: https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#ns-logout

Now, it is interesting why your logoutMe4 doesn't work. I don't know the answer. It seems to be doing enough things to complete the logout but I don't know your full configs, so there might be something that has not been cleared/invalidated. You should use supported configurations to do the logout anyway instead of manually doing it but it is still possible to find out why by checking out spring-security source code and see how the LogoutConfigurer class configures the SecurityContextLogoutHandler.