Spring security logout handling

13
votes

According to Spring Security 4.0.0 document:

4.2.4 Logout Handling

The logout element adds support for logging out by navigating to a particular URL. The default logout URL is /logout, but you can set it to something else using the logout-url attribute. More information on other available attributes may be found in the namespace appendix.

However, after following security setting in the doc, the URL /logout doesn't show logout page. Instead, it shows

enter image description here

On the contrary, the URL /login works properly.

enter image description here

The following is my setting:

Spring Framework 4.1.6
Spring Security 4.0.0

Web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="http://java.sun.com/xml/ns/javaee"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
    version="3.0">
    <display-name>Test8</display-name>
    <welcome-file-list>
        <welcome-file>index.html</welcome-file>
        <welcome-file>index.htm</welcome-file>
        <welcome-file>index.jsp</welcome-file>
        <welcome-file>default.html</welcome-file>
        <welcome-file>default.htm</welcome-file>
        <welcome-file>default.jsp</welcome-file>
    </welcome-file-list>

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/security-config.xml</param-value>
    </context-param>


</web-app>

security-config.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
           http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
           http://www.springframework.org/schema/security
           http://www.springframework.org/schema/security/spring-security.xsd">
    <http>
        <intercept-url pattern="/**" access="hasRole('USER')" />
        <form-login />
        <logout />
    </http>

    <authentication-manager>
        <authentication-provider>
            <user-service>
                <user name="aaa" password="111" authorities="ROLE_USER, ROLE_ADMIN" />
                <user name="bbb" password="222" authorities="ROLE_USER" />
            </user-service>
        </authentication-provider>
    </authentication-manager>

</beans:beans>
7
springspring-security
codeproject.com/Tips/521847/Logout-Spring-s-LogoutFilter can this help you? - OhadR
I am facing the same issue in my application. It worked well with version 3.2.7, and since I upgraded to 4.0.1 there is no mapping for /logout url anymore. - yglodt

7 Answers

13
votes

Spring security automatically enables csrf, which automatically disabled GET logouts. You can fix this by disabling csrf protection by settings <csrf disabled="true"/> in the <http> , or just using a POST.

See http://docs.spring.io/spring-security/site/docs/4.0.1.RELEASE/reference/htmlsingle/#csrf-logout

9
votes

Simply, put the following code in the jsp where you want to have the logout-

<c:url var="logoutUrl" value="/j_spring_security_logout" />
    <form action="${logoutUrl}" id="logout" method="post">
        <input type="hidden" name="${_csrf.parameterName}"
            value="${_csrf.token}" />
    </form>
    <a href="#" onclick="document.getElementById('logout').submit();">Logout</a>

Corresponding entry in the bean configuration file-

<security:logout logout-url="/j_spring_security_logout" logout-success-url="/whateverPageYouWant" invalidate-session="true" />

-This worked for me for spring-security-4.*

3
votes
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
   //...
   http.logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout"));
  }
}
1
votes
  1. The logout url is "/j_spring_security_logout" so edit your view accordingly

  2. CSRF is by default enabled which will require every POST request (which the logout is) to have a CSRF token. So either disable CSRF (which I will not recommend) or frame the logout inside a form with action as above logout url and a hidden input with CSRF token like this

0
votes

Note that there is no "logout page". the /logout is Spring's endpoint, that let Spring know that the app asks to logout a user, so it invokes a specific handler.

After logging the user out, Spring redirects to another page, and you can configure the "default target" in your XML.

0
votes

Add to Spring Security:

<logout
 logout-success-url="/anonymous.html"
 logout-url="/perform_logout"
 delete-cookies="JSESSIONID" />

under http tag

0
votes

With Spring security 4.2.13 I have a managed to make this work by navigating to the logout URL through a form submission (POST method) instead of using a link.

I replaced <p><a href="<c:url value='/logout'/>">Log out</a></p> with

<form name='f' action='${pageContext.request.contextPath}/logout' method='POST'>
<input name="logout" type="submit" value="Log out" />
<input name="${_csrf.parameterName}" type="hidden"
    value="${_csrf.token}" />
</form>

in my view layer, which is a JSP page. This way you will get a button instead of a link. (In older Spring versions the default logout URL was "/j_spring_security_logout".)