When I try to access the logout URL of my spring application, I get a 404 error and No mapping found for HTTP Request with URI [/logout] in DispatcherServlet with name 'mvc-dispatcher'
in my server log.
I have already tried Call to j_spring_security_logout not working, Issue with Spring security's logout and pretty much all of the related results on SO.
I'm including the complete configuration files as the Spring xml structure isn't quite clear to me yet.
My security configuration:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<http pattern="/resources/**" security="none" />
<http auto-config="true">
<intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login login-page="/login" default-target-url="/"/>
<logout logout-url="/logout" />
<csrf />
</http>
<global-method-security secured-annotations="enabled" />
<authentication-manager>
<authentication-provider user-service-ref="userDetailsService" />
</authentication-manager>
</beans:beans>
My web.xml
is this:
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<display-name>XYZ</display-name>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/*-config.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>mvc-dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>mvc-dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
</web-app>
How do I make the logout page work?
If you are using logout with CSRF you must perform a POST. See http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#csrf-logout
I had the same problem after migrating from Spring 3.2 to 4 but I wanted to logout using a link on the view.
The Spring doco (http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#csrf-include-csrf-token-form) explains how to do it in the view.
I used this snippet in the JSP to do the logout:
<%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %>
<form:form action="${pageContext.request.contextPath}/logout" method="POST">
<input type="submit" value="Logout" />
</form:form>
Try this, logout with HTTP.GET
WebSecurityConfigurerAdapter
// In HttpSecurity configure
...
.logout()
...
.logoutRequestMatcher(new AntPathRequestMatcher("/logout", “GET”))
...
...
HTML
<a href="/logout">Logout</a>
In order to solve this, it's usually required to convert a logout link into a POST form button with hidden CSRF token, which can be achieved by:
<a href="#" onclick="document.getElementById('logout-form').submit();"> Logout </a>
<form id="logout-form" action="<c:url value="/logout"/>" method="post">
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With