Issue with Spring security's logout

I've got a problem logging out in Spring framework.

First when I want j_spring_security_logout to handle it for me i get 404 j_spring_security_logout not found: sample-security.xml:

<http>
    <int开发者_StackOverflowercept-url pattern="/messageList.htm*" access="ROLE_USER,ROLE_GUEST" />
    <intercept-url pattern="/messagePost.htm*" access="ROLE_USER" />
    <intercept-url pattern="/messageDelete.htm*" access="ROLE_ADMIN" />
    <form-login login-page="/login.jsp" default-target-url="/messageList.htm"
        authentication-failure-url="/login.jsp?error=true" />
    <logout/>
</http>

Sample url link to logout in JSP page:

<a href="<c:url value="/j_spring_security_logout" />">Logout</a>

When i try to use a custom JSP page i.e. I use login form for this purpose then I get better result at least it gets to login page, but another problem is that you dont't get logged off as you can diretcly type url that should be guarded buy you get past it anyway.

Slightly modified from previous listings:

<http>
    <intercept-url pattern="/messageList.htm*" access="ROLE_USER,ROLE_GUEST" />
    <intercept-url pattern="/messagePost.htm*" access="ROLE_USER" />
    <intercept-url pattern="/messageDelete.htm*" access="ROLE_ADMIN" />
    <form-login login-page="/login.jsp" default-target-url="/messageList.htm"
        authentication-failure-url="/login.jsp?error=true" />
    <logout logout-success-url="/login.jsp" />
</http>

<a href="<c:url value="/login.jsp" />">Logout</a>

Thank you for help

I've just had this problem.

You need to make sure in web.xml your security filter matches on the url /j_spring_security_logout

e.g.

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/j_spring_security_logout</url-pattern>
</filter-mapping>

You should do POST request. Something like that:

<form action="${logoutUrl}" method="post" id="logoutForm">
            <input type="hidden" 
                    name="${_csrf.parameterName}"
                    value="${_csrf.token}" />
</form>

<script>
    function formSubmit() {
                document.getElementById("logoutForm").submit();
    }
</script>

<c:if test="${pageContext.request.userPrincipal.name != null}">
           <h2>
                Welcome : ${pageContext.request.userPrincipal.name} | 
                 <a href="javascript:formSubmit()"> Logout</a>
            </h2>
</c:if>

I ran into the same problem and after loosing hope, finally I found out the answer by accident. Of course we learn a lot by reading and using someone else's codes and, by doing this we inherit settings we don't know much about.

And this is what happened to me when programming using Spring Security.

In the Spring Security XML, within the http tag, there is this line:

<logout invalidate-session="true" logout-success-url="/login" logout-url="/logout" />

I got this line during my research from some tutorial or example. And after 2 days struggling with the j_spring_security_logout keyword and getting nothing but error 404, I figured out this.

In the logout tag I am using, there's this logout-url parameter set to "/logout". Then I realized that according to my settings, my spring is expecting to receive /logout instead of /j_spring_security_logout.

Once I updated my code accordingly, it worked like a charm.

Is logout link aware of the context path?

For example, if your context path is "myapp", where does the above mentioned link point?

"http://localhost:8080/myapp/j_spring_security_logout" or "http://localhost:8080/j_spring_security_logout" ?

In fact, the j_spring_security_logout is only valid within the context of the webapp so only the first link would lead to the correct url

I had the same issue.

Seems to be a bug on 3.0.6!

I just downgrade to 3.0.5 and everything works nicely.

Try this link in your page whow content a logout link:

<h:outputLink value="#{request.contextPath}/logout.jsp">Logout</h:outputLink>

and creeate a logout.jsp file in your "webcontent" folder with the following code:

<% response.sendRedirect("/#{request.contextPath}/j_spring_security_logout"); %>

if an eror occured try to change "#{request.contextPath}" to the name of your project ex: my project name is "security" so i am using in my logout.jsp file:

<% response.sendRedirect("/security/j_spring_security_logout"); %>