30

To get a basic security feature working, I added the following starter package to my pom.xml

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>

And added following two properties to application.properties:

security.user.name=guest
security.user.password=tiger

Now when I hit my homepage, I get the login box and login works as expected.

Now I want to implement the ‘logout’ feature. When the user clicks on a link, he/she gets logged out. I noticed that the login doesn’t add any cookie in my browser. I am assuming Spring Security creates an HttpSession object for the user. Is that true? Do I need to ‘invalidate’ this session and redirect the user to some other page? What’s the best way to implement the ‘logout’ feature in a Spring Boot based application?

Improve this question
5
  • 2
    I would suggest this tutorial: http://spring.io/guides/gs/securing-web/ Commented May 15, 2014 at 6:15
  • I had already looked at this. Problem is this is geared toward Spring MVC which is not what I am using. We've a Spring Boot based application & our UI is served from /resources/public/index.html Commented May 16, 2014 at 22:08
  • Can I ask how you came upon the starter-security dependency? I've been trying to figure out for DAYS how to run spring security with spring boot and I can't believe it was this easy. Commented Oct 22, 2014 at 18:48
  • 2
    @Dany - spring-boot-starter-security is mentioned here in the documentation: spring.io/guides/gs/securing-web Commented Oct 22, 2014 at 22:35
  • And how did you know to add those two properties in the application.properties file? Every tutorial I've come across has been similar to this one - where the configuration and username+password is set up in a java class Commented Oct 23, 2014 at 13:55

1 Answer 1

Reset to default
90

Late is better than never. Spring Boot defaults lots of security components for you, including the CSRF protection. One of the things that does is force POST logout, see here: http://docs.spring.io/spring-security/site/docs/3.2.4.RELEASE/reference/htmlsingle/#csrf-logout

As this suggests you can override this, using something along the lines of:

http.authorizeRequests()
.antMatchers("/admin/**").hasRole("ADMIN")                                      
.anyRequest().fullyAuthenticated()
.and()
.formLogin().loginPage("/login").failureUrl("/login?error").permitAll()
.and()
.logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/login");

The last line is the important one.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

I was looking everywhere for this, thanks, sometimes I feel Spring Boot does too much magic and makes things like this hard to track down
simple .logout.permitAll() will make it. It will redirect to login/?logout
just be careful with GET approach for logout since that can enable attackers to use csrf attack on your website.
How do I logout with that? window.location = "/login/?logout"; ???
How will I call it from angular 8 logout method. Suppose I have a button log out then how will I call this

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.