Clever Geek Handbook

Error 404 in spring exit

I am trying to add login functionality to my application using spring security v.4. The login works fine, but when I try to log out, I get a 404 error. Spring The security description states that the default logout url is / logout. My app is deployed under / app url and I have tried the following urls. localhost: 8080 / app / logout and localhost: 8080 / app / json / logout. I found some similar stack issues, but they are related to the case where CSRF protection is used and I am not using it. Here is part of my web.xml file

    <context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>/WEB-INF/json-servlet.xml,
        /WEB-INF/applicationContext.xml</param-value>
</context-param>

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<servlet>
    <servlet-name>json</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
    <servlet-name>json</servlet-name>
    <url-pattern>/json/*</url-pattern>
</servlet-mapping>

and my json-servlet.xml where the spring security config is located:

    <context:component-scan base-package="test" />
<mvc:annotation-driven />

<security:http>
    <security:intercept-url pattern="/**" access="hasRole('USER')" />
    <security:form-login />
    <security:logout />
</security:http>

<security:authentication-manager>
    <security:authentication-provider>
        <security:user-service>
            <security:user name="test" password="1" authorities="ROLE_USER, ROLE_ADMIN" />
        </security:user-service>
    </security:authentication-provider>
</security:authentication-manager>

Thanks in advance.

+3


source to share


1 answer


According to the documentation , starting from version 4 pring. CSRF security is enabled by default and the only method supported by default is POST, so you can call it using the following form:

<form method="post" action="${pageContext.request.contextPath}/logout" id="form-logout">
    <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>         
</form>

Or explicitly disable csrf protection

<http>
    <!-- ... -->
    <csrf disabled="true"/>
</http>


From the documentation

If you really want to use HTTP GET with logoff, you can do so, but remember that this is generally not recommended. For example, the following Java configuration will log out with a url / logout request with any HTTP method:

@EnableWebSecurity
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
          .logout()
          .logoutRequestMatcher(new AntPathRequestMatcher("/logout"));
    }
}
+9


source






More articles:


All Articles