Spring Web Security logout not working with httpBasic authentication

Question

I'm using basic authentication to secure an initial REST web service that I'm working on. Everything seems to work okay, except the logout path does not seem to work. It redirects to "/login?logout", as documented, but my user does not seem to actually be logged out. (ie. I can still access page X and not page Y as expected).

Application config:

@Configuration
@ComponentScan
@EnableAutoConfiguration(exclude = ManagementSecurityAutoConfiguration.class)
@EnableWebSecurity
@EnableSwagger
public class Application {

    public static void main(String[] args) {
        SpringApplication.run(Application.class, args);
    }

    @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
    @Configuration
    protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter {
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.httpBasic()
            .and().authorizeRequests().antMatchers("/manage/**").hasRole("ADMIN")
            .anyRequest().fullyAuthenticated()
            .and().logout().permitAll().logoutRequestMatcher(new AntPathRequestMatcher("/logout", HttpMethod.GET.toString())).invalidateHttpSession(true);
        }

        @Override
        protected void configure(AuthenticationManagerBuilder auth) throws Exception {
            auth.inMemoryAuthentication().withUser("admin").password("admin").roles("ADMIN", "USER").and().withUser("user").password("user").roles("USER");
        }
    }
}

Please note that security in general looks to be working. I can open a new incognito tab and the authentication / security works as expected.

Answer 1

You cannot logout from basic http authentication with a logout link.

Please check a similar thread here.