404 when do logout in Spring Security Rest Plugin for Grails

1
votes

I'm setting the security system on my project (Grails - Angularjs) with Spring Security Rest Plugin v1.5.4 (using spring security core 2.0.0) for Grails 2.4.4. Doc about this plugin can be found here.

I'm testing the login and logout with postman chrome rest client and I'm able to do a login OK, but I'm getting a 404 when I do logout.

In the documentation clearly says:

The logout filter exposes an endpoint for deleting tokens. It will read the token from an HTTP header. If found, will delete it from the storage, sending a 200 response. Otherwise, it will send a 404 response

You can configure it in Config.groovy using this properties:

Config key...................................................................................Default value

grails.plugin.springsecurity.rest.logout.endpointUrl....................../api/logout grails.plugin.springsecurity.rest.token.validation.headerName....X-Auth-Token

So, after doing a login successfully, I tried to do a logout to that url (my_host_url/api/logout) with a GET method and sending a header X-Auth-Token with the token I got previously from login.

But I keep getting a 404. See image below

enter image description here

Edit: I'm setting the chain map like this (in order to get a stateless behavior):

grails.plugin.springsecurity.filterChain.chainMap = [
        '/api/**': 'JOINED_FILTERS,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter',  // Stateless chain
        '/**': 'JOINED_FILTERS,-restTokenValidationFilter,-restExceptionTranslationFilter'                                                                          // Traditional chain
]

So. What am I doing wrong here, or what am I missing?

Thanks in advance!

1
springrestgrailsspring-securityspring-security-rest
can you provide your code for "logout" method, i think, resource mapping is missing either "get" method or proper "path" - devbd
@devbd, thanks for your reply! Actually I didn't implement a logout method. I thought the plugin added this implicitly as the login method. Is that correct? - lealceldeiro
please check plugin default login url. i think, the url should be only "/logout" .. - devbd
my mistake.., please check if grails.plugin.springsecurity.filterChain.chainMap is set with "stateless" - devbd
5.2. Plugin configuration alvarosanchez.github.io/grails-spring-security-rest/latest/docs - devbd

1 Answers

1
votes

You missed another excerpt from the docs. It's a warning message literally before the chunk you quoted, and says:

Logout is not possible when using JWT tokens (the default strategy), as no state is kept in the server.

If you still want to have logout, you can provide your own implementation by creating a subclass of JwtTokenStorageService and overriding the methods storeToken and removeToken. Then, register your implementation in resources.groovy as tokenStorageService.