Error 404 on spring logout

Question

I am trying to add login functionality to my app with spring security v.4. Login works fine, but when I am trying to logout an error 404 appears. Spring Security reference says that default logout URL is /logout. My app is deployed under /app URL and I tried following URL's localhost:8080/app/logout and localhost:8080/app/json/logout. I found some similar issues on stack but they are about case when CSRF protection is used and I'm not using it. Here is part of my my web.xml file

    <context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>/WEB-INF/json-servlet.xml,
        /WEB-INF/applicationContext.xml</param-value>
</context-param>

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<servlet>
    <servlet-name>json</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
    <servlet-name>json</servlet-name>
    <url-pattern>/json/*</url-pattern>
</servlet-mapping>

and my json-servlet.xml where is spring security configuration:

    <context:component-scan base-package="test" />
<mvc:annotation-driven />

<security:http>
    <security:intercept-url pattern="/**" access="hasRole('USER')" />
    <security:form-login />
    <security:logout />
</security:http>

<security:authentication-manager>
    <security:authentication-provider>
        <security:user-service>
            <security:user name="test" password="1" authorities="ROLE_USER, ROLE_ADMIN" />
        </security:user-service>
    </security:authentication-provider>
</security:authentication-manager>

Thanks in advance.

Answer 1

According to the documentation starting from version 4 of pring Security CSRF is enabled by default, and the only method supported by default is POST, therefore you can call it by using a form like this:

<form method="post" action="${pageContext.request.contextPath}/logout" id="form-logout">
    <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>         
</form>

Or explicitly disable csrf protection

<http>
    <!-- ... -->
    <csrf disabled="true"/>
</http>

From documentation

If you really want to use HTTP GET with logout you can do so, but remember this is generally not recommended. For example, the following Java Configuration will perform logout with the URL /logout is requested with any HTTP method:

@EnableWebSecurity
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
          .logout()
          .logoutRequestMatcher(new AntPathRequestMatcher("/logout"));
    }
}