Call to j_spring_security_logout not working

Question

I'm trying to setup the logut of my application with j_spring_security_logout but for some reason it's not working, I keep getting a 404 error.

I'm calling the function like this:

<a href="<c:url value="/j_spring_security_logout"/>"><img border="0" id="logout" src="./img/logout.png" /></a>

I have in WebContent/jsp/ my application main page, and the login and logout pages are in WebContent/login/.

I've also checked this other post Problem with Spring security's logout but the solution given there is not working for me.

Here you can see my web.xml

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>
     org.springframework.web.filter.DelegatingFilterProxy
    </filter-class>
</filter> 

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

And here my spring-security.xml

<http auto-config="true">
    <intercept-url pattern="/*" access="ROLE_USER" />
    <form-login login-page="/login/login.jsp" 
                authentication-failure-url="/login/errorLogin.jsp"/>
    <logout logout-success-url="/" logout-url="/login/logout.jsp" />
</http>

<beans:bean id="myAuthenticationProvider" 
    class="myapp.web.authentication.WSAuthenticationProvider">
</beans:bean>

<authentication-manager>
    <authentication-provider ref="myAuthenticationProvider"/>
</authentication-manager>

Thanks in advance.

Answer 1

the logout-url refers to a virtual URL, you need not have any resource by that name. You can do either this:

<logout logout-success-url="/" logout-url="/j_spring_security_logout" /> 

and the link on your page like this

<c:url value="/j_spring_security_logout" var="logoutUrl" /> <a href="${logoutUrl}">Log Out</a> 

OR this:

<logout logout-success-url="/" logout-url="/logout" /> 

and the link as follows:

<c:url value="/logout" var="logoutUrl" /> <a href="${logoutUrl}">Log Out</a> 

You were mixing both thats why you were getting 404 error.

Answer 2

check whether csrf is enabled. If csrf enabled, need to use post method to logout, add csrf token as hidden field. then use JavaScript to post the form to logout

Answer 3

With spring security 4 Logout has to be done through form button. CSRF token has to be submitted along. j_spring_security_logout does not work any longer. After spending one day i got following to be working.
Step 1: In your JSP page

<c:url var="logoutUrl" value="/logout"/>
<form action="${logoutUrl}" method="post">
    <input type="submit" value="Logout"/>
    <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>

Step 2

<security:http use-expressions="true">
<security:form-login login-page="/login" authentication-failure-url="/login?error=true" />
<security:logout logout-success-url="/login" invalidate-session="true" logout-url="/logout" />
</security:http>

Step 3 In your login controller

//Logout mapping
@RequestMapping("/logout")
public String showLoggedout(){
    return "logout";
}

Step 4 You must have one logout.jsp

Important to see that it will land onto login page after logout.

<security:form-login login-page="/login" authentication-failure-url="/login?error=true" />

So this login page must be there with corresponding mappping to login.jsp or whatever to map in your controller.