How to disable logout confirmation in spring security using xml?

Question

I have updated Spring security from 4.x to 5.x. Now, I have this situation where Spring security asks user to confirm logout. With message

Are you sure you want to log out?

below given image for the same.

I want to get rid of this step. How to get rid of logout confirmation ?

Objective : I want to logout and redirect on page where I came from.

The security.xml :

<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                http://www.springframework.org/schema/security
                http://www.springframework.org/schema/security/spring-security-4.2.xsd">


    <http auto-config="true" use-expressions="true">
        <!-- isAnonymous() -->
        <intercept-url pattern="/**/add/**" access="isAuthenticated()" />
        <intercept-url pattern="/**/delete/**" access="isAuthenticated()" />
        <intercept-url pattern="/**/update/**" access="isAuthenticated()" />
    </http>

    <authentication-manager>
        <authentication-provider>
            <user-service>
                <user name="uzer64" password="{noop}123456" authorities="ROLE_USER" />
                <user name="admin" password="{noop}admin" authorities="ROLE_ADMIN" />
            </user-service>
        </authentication-provider>
    </authentication-manager>
</beans:beans>

Answer 1

It is a CSRF feature to avoid logout request initiated by malicious javascript from another site.
Your request is GET: /logout and hence spring security wants to confirm it by user action such as click.

So to avoid it. Your logout request should be POST and contain valid _csrf token.

You can achieve it by using spring form tag with method post as given below

<%@ taglib uri="http://www.springframework.org/tags/form" prefix="form"%>
...
<form:form action="${pageContext.request.contextPath}/logout" 
           method="post" modelAttribute="AnyModelAttributePassedFromController">
    <form:button value="submit"> Logout</form:button>
</form:form>
...

Or

<%@ taglib uri="http://www.springframework.org/tags/form" prefix="form"%>
...
<form:form action="${pageContext.request.contextPath}/logout" 
           method="post" modelAttribute="_csrf">
    <form:button value="submit"> Logout</form:button>
</form:form>
...

Answer 2

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .logout()
                .logoutRequestMatcher(new AntPathRequestMatcher("/logout"));
    }

It works for me.