0

The official Spring Github Repo's Readme reads:

The application is almost finished functionally. The last thing we need to do is implement the logout feature that we sketched in the home page. If the user is authenticated then we show a "logout" link and hook it to a logout() function in the AppComponent. Remember, it sends an HTTP POST to "/logout" which we now need to implement on the server. This is straightforward because it is added for us already by Spring Security (i.e. we don’t need to do anything for this simple use case). For more control over the behaviour of logout you could use the HttpSecurity callbacks in your WebSecurityAdapter to, for instance execute some business logic after logout.

Taken from: https://github.com/spring-guides/tut-spring-security-and-angular-js/tree/master/single

However, I am using basic authentication and testing it with Postman app. The POST on '/logout' gives me a 403 Forbidden like so:

{
    "timestamp": "2018-07-30T07:42:48.172+0000",
    "status": 403,
    "error": "Forbidden",
    "message": "Forbidden",
    "path": "/logout"
}

My Security Configurations are:

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                    .authorizeRequests()
                    .antMatchers("/user/save")
                    .permitAll()
                .and()
                    .authorizeRequests()
                    .antMatchers("/user/**")
                    .hasRole("USER")
                .and()
                    .authorizeRequests()
                    .antMatchers("/admin/**")
                    .hasRole("ADMIN")
                .and()
                    .httpBasic()
                .and()
                    .logout()
                    .permitAll()
                .and()
                    .csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
    }

I want the session to be invalidated, all the cookies to be deleted, such that when I query again on the endpoint /user with wrong credentials, I should get a 403. However, even after POST on /logout (which gives 403 anyway), the application accepts the GET on /user from the previous session and shows me the details of the user.

The endpoint is:

@GetMapping
public Principal user(Principal user){
    return user;
}
Debanik Dawn
  • 797
  • 5
  • 28
  • 1
    Okay, I got something. The console shows: `Invalid CSRF token found for http://localhost:8009/logout`. I understand what it means but, why should this be? I can see the XSRF-TOKEN in the cookies section of the Postman app. Only reason can be it's not sending the cookie(?) – Debanik Dawn Jul 30 '18 at 09:49
  • 1
    Okay, I made a form and POST -ed to `/logout`, it works fine. There must be a problem with the Postman app. Anyway, however, after I logout, the browser still sends the `Authentication` header as before and I get logged in without prompt. – Debanik Dawn Jul 30 '18 at 10:28
  • FYI logout in BASIC does not make sense. BASIC is stateless authentication (sent with every request), there is no such thing as application logout... you need to tell the browser to stop sending the Authorization header. That is not something application does (unlike with other session based or token based authentication schemes, where applicaiton can invalidate some state it holds). – Pavel Horal Jul 30 '18 at 10:29
  • https://stackoverflow.com/questions/233507/how-to-log-out-user-from-web-site-using-basic-authentication https://security.stackexchange.com/questions/68675/logging-out-of-basic-http-authentication – Pavel Horal Jul 30 '18 at 10:30
  • Possible duplicate of [How to log out user from web site using BASIC authentication?](https://stackoverflow.com/questions/233507/how-to-log-out-user-from-web-site-using-basic-authentication) – Pavel Horal Jul 30 '18 at 10:32
  • @DebanikDawn *Browser?* As far as I rememeber, Postman is a browser plugin. However, for some reasons, Postman isn't sending the CSRF token. Hence, you get 403. Your problem shouldn't exist in your JavaScript/Angular app. Did you try it? – dur Jul 30 '18 at 10:40
  • @DebanikDawn I'm not sure what kind of application you are writing. If you use REST you don't need any session and then you do not need to logout. This will also solve your origin problem with the wrong password. You could still use basic authentication. – dur Jul 30 '18 at 10:47
  • @dur Yes. If the application is making authenticated calls only via AJAX, the authentication can be handled programmatically. But then the "logout" would be just deleting some variables. And still a better approach would be to have either some token and/or use session so that page refresh won't automatically result in logout and the browser won't have to hold on to sensitive credentials. – Pavel Horal Jul 30 '18 at 10:49
  • @PavelHoral (Remark: it is opionion-based) If the application is a REST application I would suggest basic authentication or OAuth2 (or any other standard token based authentication), but in any case REST should not use any HTTP session. A page refresh should not result in a logout, because credentials (username, password or token) are stored in the app (local storage). – dur Jul 30 '18 at 10:55
  • Yes, Angular apps are working fine. And I am writing REST services using Spring. I am also writing an Angular front end to use the REST services. I need don't need an HTTP session explicitly but I do need to check whether an user is authenticated to view/alter some data. – Debanik Dawn Jul 30 '18 at 11:12

0 Answers0