Custom logout URL with Spring Security

Question

We follow a certain convention when creating our URIs. All authentication related URIs such as /login, /logout, /changepassword etc fall under the sub-context /auth.

Thus our authentication-related URIs look like:

/auth/login
/auth/logout
/auth/changepassword

This is what we have in the Spring security context XML.

<http pattern="/auth/**" security="none" />
<http pattern="/resources/**" security="none" />

<http auto-config="true" access-decision-manager-ref="accessDecisionManager">
    <intercept-url pattern="/admin/**" access="ADMINISTRATIVE_ACCESS"/>
    <intercept-url pattern="/**" access="XYZ_ACCESS"/>

    <form-login
            login-page="/auth/login"
            default-target-url="/content"
            authentication-failure-url="/auth/loginFailed"
            authentication-success-handler-ref="authenticationSuccessHandler"/>

    <logout logout-url="/auth/logout" logout-success-url="/auth/login"/>
</http>

The problem now is that /auth/logout gives me a 404 when accessed. However, if I change it to start with something other than /auth such as /abcd/logout or even /logout, it works fine.

I am thinking this is due to the fact that we have defined /auth/** as unsecured and yet trying to use it as a logout page. (How can you access logout if you have not logged in?)

Is there any way out of this in order to please our rather strict URI naming convention?

Answer 1

You're right about the part:

I am thinking this is due to the fact that we have defined /auth/** as unsecured and yet trying to use it as a logout page. (How can you access logout if you have not logged in?)

More precise defining

<http pattern="/auth/**" security="none" />

means no Spring Security filter is applied to requests that match /auth/** pattern and hence Spring Security does not controll /auth/logout URL while it should.

Because Spring Security matches pattern from top to bottom simple override for /auth/logout in your main <http> won't work, so solution to that problem can be defining separate patterns:

<http pattern="/auth/login" security="none" />
<http pattern="/auth/changepassword" security="none" />
<http pattern="/resources/**" security="none" />

<http auto-config="true" use-expressions="true" access-decision-manager-ref="accessDecisionManager">
    <intercept-url pattern="/auth/logout" access="permitAll"/>
    <intercept-url pattern="/admin/**" access="ADMINISTRATIVE_ACCESS"/>
    <intercept-url pattern="/**" access="XYZ_ACCESS"/>
    <!-- rest of your config -->
</http>

If you have many of /auth/* URLs to be handled, you can use <http>'s request-matcher="regex", but I don't think it'll be readable that way.

Answer 2

Instead of security="none", I think you want access="permitAll" (explanation of permitAll in the docs).

I'm not sure what security="none" is supposed to do, but I think you might have it confused with filters="none", which causes the Spring Security chain to be bypassed completely.