Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to disable logout confirmation in spring security using xml?

I have updated Spring security from 4.x to 5.x. Now, I have this situation where Spring security asks user to confirm logout. With message

Are you sure you want to log out?

below given image for the same.
enter image description here

I want to get rid of this step. How to get rid of logout confirmation ?

Objective : I want to logout and redirect on page where I came from.

The security.xml :

<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                http://www.springframework.org/schema/security
                http://www.springframework.org/schema/security/spring-security-4.2.xsd">


    <http auto-config="true" use-expressions="true">
        <!-- isAnonymous() -->
        <intercept-url pattern="/**/add/**" access="isAuthenticated()" />
        <intercept-url pattern="/**/delete/**" access="isAuthenticated()" />
        <intercept-url pattern="/**/update/**" access="isAuthenticated()" />
    </http>

    <authentication-manager>
        <authentication-provider>
            <user-service>
                <user name="uzer64" password="{noop}123456" authorities="ROLE_USER" />
                <user name="admin" password="{noop}admin" authorities="ROLE_ADMIN" />
            </user-service>
        </authentication-provider>
    </authentication-manager>
</beans:beans>
like image 440
Vytsalo Avatar asked Oct 02 '19 06:10

Vytsalo


2 Answers

It is a CSRF feature to avoid logout request initiated by malicious javascript from another site.
Your request is GET: /logout and hence spring security wants to confirm it by user action such as click.

So to avoid it. Your logout request should be POST and contain valid _csrf token.

You can achieve it by using spring form tag with method post as given below

<%@ taglib uri="http://www.springframework.org/tags/form" prefix="form"%>
...
<form:form action="${pageContext.request.contextPath}/logout" 
           method="post" modelAttribute="AnyModelAttributePassedFromController">
    <form:button value="submit"> Logout</form:button>
</form:form>
...

Or

<%@ taglib uri="http://www.springframework.org/tags/form" prefix="form"%>
...
<form:form action="${pageContext.request.contextPath}/logout" 
           method="post" modelAttribute="_csrf">
    <form:button value="submit"> Logout</form:button>
</form:form>
...
like image 147
PraveenKumar Lalasangi Avatar answered Sep 26 '22 01:09

PraveenKumar Lalasangi


@Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .logout()
                .logoutRequestMatcher(new AntPathRequestMatcher("/logout"));
    }

It works for me.

like image 38
Mihail Klopotnuk Avatar answered Sep 24 '22 01:09

Mihail Klopotnuk