Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Issue with Spring security's logout

I've got a problem logging out in Spring framework.

First when I want j_spring_security_logout to handle it for me i get 404 j_spring_security_logout not found: sample-security.xml:

<http>
    <intercept-url pattern="/messageList.htm*" access="ROLE_USER,ROLE_GUEST" />
    <intercept-url pattern="/messagePost.htm*" access="ROLE_USER" />
    <intercept-url pattern="/messageDelete.htm*" access="ROLE_ADMIN" />
    <form-login login-page="/login.jsp" default-target-url="/messageList.htm"
        authentication-failure-url="/login.jsp?error=true" />
    <logout/>
</http>

Sample url link to logout in JSP page:

<a href="<c:url value="/j_spring_security_logout" />">Logout</a>

When i try to use a custom JSP page i.e. I use login form for this purpose then I get better result at least it gets to login page, but another problem is that you dont't get logged off as you can diretcly type url that should be guarded buy you get past it anyway.

Slightly modified from previous listings:

<http>
    <intercept-url pattern="/messageList.htm*" access="ROLE_USER,ROLE_GUEST" />
    <intercept-url pattern="/messagePost.htm*" access="ROLE_USER" />
    <intercept-url pattern="/messageDelete.htm*" access="ROLE_ADMIN" />
    <form-login login-page="/login.jsp" default-target-url="/messageList.htm"
        authentication-failure-url="/login.jsp?error=true" />
    <logout logout-success-url="/login.jsp" />
</http>
<a href="<c:url value="/login.jsp" />">Logout</a>

Thank you for help

like image 668
Jarek Avatar asked Jun 18 '10 09:06

Jarek


People also ask

How do I logout of spring boot security?

Basic Configuration The basic configuration of Spring Logout functionality using the logout() method is simple enough: @Configuration @EnableWebSecurity public class SecSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(final HttpSecurity http) throws Exception { http //... .

What is the purpose of the Spring Security login Logout module?

Spring Security provides login and logout features that we can use in our application. It is helpful to create secure Spring application.

What is the default logout URL defined by Spring Security?

The default logout URL is /logout, but you can set it to something else using the logout-url attribute.

Is Spring Security Difficult?

The thing with Spring Security is: It is difficult. Not because it is poorly designed or could be easier to use, but because of the complexity of its domain: Application security. Complex problems require technically sophisticated solutions, and security is one of them.


1 Answers

I've just had this problem.

You need to make sure in web.xml your security filter matches on the url /j_spring_security_logout

e.g.

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/j_spring_security_logout</url-pattern>
</filter-mapping>
like image 198
brommersman Avatar answered Oct 18 '22 14:10

brommersman