spring-security login?logout redirects to login

Question

I am using spring-security 3.2.0.RC2 with java config and two HttpSecurity configurations. One for REST API and one for UI. When I post to /logout it redirects to /login?logout but then (incorrectly) redirects to /login. When i enter username and password successfully I get redirected to login?logout and have to enter credentials a second time to get to the main page. So it seems like the permitAll for login is not being honored for login?logout.

My security config looks like this:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

@Resource
private MyUserDetailsService userDetailsService;

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth)
        throws Exception {
    StandardPasswordEncoder encoder = new StandardPasswordEncoder(); 
    auth.userDetailsService(userDetailsService).passwordEncoder(encoder);
}

@Configuration
@Order(1)
public static class RestSecurityConfig
        extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .antMatcher("/v1/**").authorizeRequests()
                .antMatchers("/v1/admin/**").hasRole("admin")
                .antMatchers("/v1/account/**").hasRole("admin")
                .antMatchers("/v1/plant/**").access("hasRole('admin') or hasRole('dataProvider')")
                .antMatchers("/v1/upload/**").access("hasRole('admin') or hasRole('dataProvider')")
                .antMatchers("/v1/**").authenticated()
            .and().httpBasic();
    }
}

@Configuration
@Order(2)
public static class UiSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(WebSecurity web) throws Exception {
       web.ignoring().antMatchers("/resources/**");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/account/**").hasRole("admin")
                .antMatchers("/admin/**").hasRole("admin")
                .antMatchers("/plant/**").access("hasRole('admin') or hasRole('dataProvider')")
                .antMatchers("/upload/**").access("hasRole('admin') or hasRole('dataProvider')")
                .anyRequest().authenticated()
            .and().formLogin().loginPage("/login").permitAll();
    }

}

}

Can anyone explain why this is happening or what is wrong with my configuration?

A secondary problem that I see with this configuration is that the jsp tag sec:authorize url=... does not work although sec:authorize access=... does work. In the url=... case it always shows the content even if the user is not authorized. I know the user is not authorized becuase hitting the link that should have been hidden by the sec:authorize tag results in a 403 Forbidden.

Any help on this greatly appreciated!

Answer 1

I found a workaround for this apparent bug. I added permitAll() on /login/** as follows:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
            .antMatchers("/account/request/**").permitAll()
            .antMatchers("/login/**").permitAll()
            .antMatchers("/account/change_password/**").authenticated()
            .antMatchers("/account/**").hasAuthority("admin")
            .antMatchers("/admin/**").hasAuthority("admin")
            .antMatchers("/plant/**").hasAnyAuthority("admin", "dataProvider")
            .antMatchers("/upload/**").hasAnyAuthority("admin", "dataProvider")
            .anyRequest().authenticated()
        .and().formLogin().loginPage("/login").permitAll();
}

Answering my own question in case it helps anyone else who runs into this bug.