Why does /login?logout redirect to /login?

Question

In my Spring project, I set the logout target url to "/login?logout" to display the login page with a message "You are now logged out".

In the Spring Security config, I did this :

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .csrf().disable()
            .authorizeRequests()
            .antMatchers("/error").permitAll()
            .anyRequest().fullyAuthenticated()
            .and()
            .formLogin()
            .loginPage("/login")
            .permitAll()
            .successHandler(loginSuccessHandler)
            .failureUrl("/login?error")
            .and()
            .httpBasic()
            .and()
            .logout()
            .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
            .permitAll()
            .logoutSuccessHandler(logoutSuccessHandler);
}

And the logoutSuccessHandler :

public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response,
        Authentication authentication) throws IOException, ServletException {

    if (authentication != null) {
        Log.debug(authentication.getName() + " LOGOUT !!");
    }

    setDefaultTargetUrl("/login?logout");
    super.onLogoutSuccess(request, response, authentication);       
}

When I try to logout, I arrive on the page "/login" (without the ?logout). I don't understand why it redirects me on this page.

I think the application is trying to redirect me on "/login?logout", but since I'm no longer connected, Spring security wants me to log in again.

When I try to access the "/login?logout" page while I am logged in, it displays the good page.

I found a solution to this problem by adding this :

            .authorizeRequests()
            .antMatchers("/error","/login").permitAll()

Why didn't loginPage("/login").permitAll() do this? Did I do something wrong?

Answer 1

Why doesn't loginPage("/login").permitAll() allow access to /login?logout?

Because when you do permitAll on a FormLoginConfigurer, or most other configurers for that matter, it will only allow access to those exact URLs.

Well, why does authorizeRequests().antMatchers("/login").permitAll() allow access then?

Because that uses an AntPathRequestMatcher, which matches on the request path only, and the path does not contain the query string.

But I know I've seen code that lets me access /login?logout without any explicit permitAll at all. What's up with that?

Spring Security likes providing "sensible" defaults, and it thinks it's "sensible" to provide default login and logout pages if none are specified. The default logout page is /login?logout, so you get to use it if you specify nothing. This is done by a DefaultLoginPageGeneratingFilter which auto-generates some HTML and short-circuits URL authorization.

So why do I lose access to the default /login?logout page when I specify a logoutSuccessHandler?

When you specify your own logoutSuccessHandler or logoutSuccessUrl, Spring Security assumes you are providing your own logout views, so it doesn't initialize the DefaultLoginPageGeneratingFilter to short-circuit URL authorization on the logout page, and expects you to configure authorization on your own views yourself.

But I want to keep the default logout page. I just want to add some custom extra handling. Can't I just do that?

If you want to specify your own logoutSuccessHandler but still keep the default /login?logout view, you have to tell the DefaultLoginPageGeneratingFilter to still keep providing it. You can do this with a custom SecurityConfigurer, as follows:

.logoutSuccessHandler(logoutSuccessHandler)
.and()
.apply(new SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity>() {
    @Override public void configure(HttpSecurity builder) throws Exception {
        builder.getSharedObject(DefaultLoginPageGeneratingFilter.class).setLogoutSuccessUrl("/login?logout");
    }
})