Spring Security: 404 on logout

Try this, logout with HTTP.GET

WebSecurityConfigurerAdapter

// In HttpSecurity configure
...
.logout()
...
.logoutRequestMatcher(new AntPathRequestMatcher("/logout", “GET”))
...
...

HTML

<a href="/logout">Logout</a>

I had the same problem after migrating from Spring 3.2 to 4 but I wanted to logout using a link on the view.

The Spring doco (http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#csrf-include-csrf-token-form) explains how to do it in the view.

I used this snippet in the JSP to do the logout:

<%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %>
<form:form action="${pageContext.request.contextPath}/logout" method="POST">
    <input type="submit" value="Logout" />
</form:form>

In order to solve this, it's usually required to convert a logout link into a POST form button with hidden CSRF token, which can be achieved by:

<a href="#" onclick="document.getElementById('logout-form').submit();"> Logout </a>

<form id="logout-form" action="<c:url value="/logout"/>" method="post">
    <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>

If you are using logout with CSRF you must perform a POST. See http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#csrf-logout

Tags:

Java

Spring Mvc

Spring Security

Recent Posts