So, I'm trying to get my first ever practice application with Spring Security working. It's just a simple test to try and see if I can just get the basics working, before moving on to more complex implementations.
I'm using Spring Security 4 btw, with Spring 4.2.2.
Right now, I have a welcome page and an admin page. Trying to access the admin page is intercepted and redirected to the default Spring Security login form. From there, I can login and be authenticated to access the admin page.
On the admin page, I have a logout link. This is where it goes wrong. I have two logout links right now, for two different methods I've tried of making this work.
The first is a simple URL. It uses the tag, and within it is the JSTL tag. I'm trying to call the logout URL there. When I do, I get an HTTP Status 404 page with a description saying The requested resource is not available.
The second way is with a form. I try having a submit button in a form, with the form's action attribute set to the logout URL and the method set to post.
This one gives me a more complex error, which I'll copy and paste here:
Title: HTTP Status 403 - Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.
Type: Status report
Message: Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.
Description: Access to the specified resource has been forbidden.
The url of the error page in both cases, btw, is localhost:8080/spring-security/logout. spring-security being the name of this test app.
So, I'm a bit lost. This is my first time working with Spring Security, and I really don't know what I'm doing wrong. Any help would be appreciated.
Below I'm pasting my admin.jsp page and my spring-security.xml page.
Thanks in advance.
admin.jsp page:
<%@ page session="true" %>
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<!DOCTYPE html>
<html>
<head>
<%@ include file="jstl-stub.jsp" %> <!-- Include links to JSTL Libraries -->
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Admin Page</title>
</head>
<body>
<h1>Title: ${title}</h1>
<h1>Message: ${message}</h1>
<c:if test="${pageContext.request.userPrincipal.name != null}">
<h2>Welcome: ${pageContext.request.userPrincipal.name}
| <a href="<c:url value="/logout"/>">Logout</a></h2>
<br><br>
<form action="logout" method="post">
<input type="submit" value="logout"/>
</form>
</c:if>
</body>
</html>
spring-security.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.2.xsd">
<security:http auto-config="true">
<security:intercept-url pattern="/admin" access="hasRole('ROLE_USER')"/>
<security:logout logout-url="/logout" logout-success-url="/welcome"/>
</security:http>
<security:authentication-manager>
<security:authentication-provider >
<security:user-service>
<security:user name="user" password="password" authorities="ROLE_USER"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans:beans>
