Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why does /login?logout redirect to /login?

In my Spring project, I set the logout target url to "/login?logout" to display the login page with a message "You are now logged out".

In the Spring Security config, I did this :

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .csrf().disable()
            .authorizeRequests()
            .antMatchers("/error").permitAll()
            .anyRequest().fullyAuthenticated()
            .and()
            .formLogin()
            .loginPage("/login")
            .permitAll()
            .successHandler(loginSuccessHandler)
            .failureUrl("/login?error")
            .and()
            .httpBasic()
            .and()
            .logout()
            .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
            .permitAll()
            .logoutSuccessHandler(logoutSuccessHandler);
}

And the logoutSuccessHandler :

public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response,
        Authentication authentication) throws IOException, ServletException {

    if (authentication != null) {
        Log.debug(authentication.getName() + " LOGOUT !!");
    }

    setDefaultTargetUrl("/login?logout");
    super.onLogoutSuccess(request, response, authentication);       
}

When I try to logout, I arrive on the page "/login" (without the ?logout). I don't understand why it redirects me on this page.

I think the application is trying to redirect me on "/login?logout", but since I'm no longer connected, Spring security wants me to log in again.

When I try to access the "/login?logout" page while I am logged in, it displays the good page.

I found a solution to this problem by adding this :

            .authorizeRequests()
            .antMatchers("/error","/login").permitAll()

Why didn't loginPage("/login").permitAll() do this? Did I do something wrong?

like image 742
YLombardi Avatar asked Oct 16 '15 09:10

YLombardi


People also ask

How do I redirect after logout?

To redirect the user after they log out from a specific application, you must add the URL used in the returnTo parameter of the redirect URL to the Allowed Logout URLs list in the Settings tab of your Auth0 application that is associated with the CLIENT_ID parameter.

How do I redirect after login?

Navigate to LoginWP > Redirections. Setting up redirection rules with the LoginWP plugin. There are several settings you can change here but look to the All Other Users heading and the Login URL option. Change this to the URL you want and click Save Changes.

How do I redirect a WordPress login page after logging out?

In your WordPress admin panel, go to Plugins > New Plugin, search for “WP Login and Logout Redirect” and click on “Install Now” Alternatively, download the plugin and upload the wordpress-login-and-logout-redirect. zip to your plugins directory, which usually is /wp-content/plugins/.

What is a logout URL?

The Logout Endpoint URL sends a logout request to OAuth provider to logout from the provider while logging out the user from the application. It is required that the OAuth provider supports logout requests.


1 Answers

Why doesn't loginPage("/login").permitAll() allow access to /login?logout?

Because when you do permitAll on a FormLoginConfigurer, or most other configurers for that matter, it will only allow access to those exact URLs.

Well, why does authorizeRequests().antMatchers("/login").permitAll() allow access then?

Because that uses an AntPathRequestMatcher, which matches on the request path only, and the path does not contain the query string.

But I know I've seen code that lets me access /login?logout without any explicit permitAll at all. What's up with that?

Spring Security likes providing "sensible" defaults, and it thinks it's "sensible" to provide default login and logout pages if none are specified. The default logout page is /login?logout, so you get to use it if you specify nothing. This is done by a DefaultLoginPageGeneratingFilter which auto-generates some HTML and short-circuits URL authorization.

So why do I lose access to the default /login?logout page when I specify a logoutSuccessHandler?

When you specify your own logoutSuccessHandler or logoutSuccessUrl, Spring Security assumes you are providing your own logout views, so it doesn't initialize the DefaultLoginPageGeneratingFilter to short-circuit URL authorization on the logout page, and expects you to configure authorization on your own views yourself.

But I want to keep the default logout page. I just want to add some custom extra handling. Can't I just do that?

If you want to specify your own logoutSuccessHandler but still keep the default /login?logout view, you have to tell the DefaultLoginPageGeneratingFilter to still keep providing it. You can do this with a custom SecurityConfigurer, as follows:

.logoutSuccessHandler(logoutSuccessHandler)
.and()
.apply(new SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity>() {
    @Override public void configure(HttpSecurity builder) throws Exception {
        builder.getSharedObject(DefaultLoginPageGeneratingFilter.class).setLogoutSuccessUrl("/login?logout");
    }
})
like image 151
heenenee Avatar answered Sep 22 '22 15:09

heenenee