Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring Security: 404 on logout

When I try to access the logout URL of my spring application, I get a 404 error and No mapping found for HTTP Request with URI [/logout] in DispatcherServlet with name 'mvc-dispatcher' in my server log.

I have already tried Call to j_spring_security_logout not working, Issue with Spring security's logout and pretty much all of the related results on SO.

I'm including the complete configuration files as the Spring xml structure isn't quite clear to me yet.

My security configuration:

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security.xsd">

    <http pattern="/resources/**" security="none" />

    <http auto-config="true">
        <intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <intercept-url pattern="/**" access="ROLE_USER" />
        <form-login login-page="/login" default-target-url="/"/>
        <logout logout-url="/logout" />
        <csrf />
    </http>

    <global-method-security secured-annotations="enabled" />

    <authentication-manager>
        <authentication-provider user-service-ref="userDetailsService" />
    </authentication-manager>

</beans:beans>

My web.xml is this:

<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">

    <display-name>XYZ</display-name>

    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/spring/*-config.xml</param-value>
    </context-param>

    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <servlet>
        <servlet-name>mvc-dispatcher</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>mvc-dispatcher</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>
</web-app>

How do I make the logout page work?

like image 662
Thom Wiggers Avatar asked Apr 20 '14 20:04

Thom Wiggers


4 Answers

If you are using logout with CSRF you must perform a POST. See http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#csrf-logout

like image 144
Rob Winch Avatar answered Nov 11 '22 09:11

Rob Winch


I had the same problem after migrating from Spring 3.2 to 4 but I wanted to logout using a link on the view.

The Spring doco (http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#csrf-include-csrf-token-form) explains how to do it in the view.

I used this snippet in the JSP to do the logout:

<%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %>
<form:form action="${pageContext.request.contextPath}/logout" method="POST">
    <input type="submit" value="Logout" />
</form:form>
like image 38
Tom Saleeba Avatar answered Nov 11 '22 07:11

Tom Saleeba


Try this, logout with HTTP.GET

WebSecurityConfigurerAdapter

// In HttpSecurity configure
...
.logout()
...
.logoutRequestMatcher(new AntPathRequestMatcher("/logout", “GET”))
...
...

HTML

<a href="/logout">Logout</a>
like image 7
chenset Avatar answered Nov 11 '22 08:11

chenset


In order to solve this, it's usually required to convert a logout link into a POST form button with hidden CSRF token, which can be achieved by:

<a href="#" onclick="document.getElementById('logout-form').submit();"> Logout </a>

<form id="logout-form" action="<c:url value="/logout"/>" method="post">
    <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
like image 2
gdrt Avatar answered Nov 11 '22 08:11

gdrt