如何在 SpringBoot WebFlux 中使用 GET 请求注销

Question

How do i configure securityWebFilterChain(ServerHttpSecurity http) so that my application logs out on GET /logout ?

I have SpringBoot 2 Spring 5 and WebFlux

I tried:

  http
    .logout()
      .requiresLogout(ServerWebExchangeMatchers.pathMatchers(HttpMethod.GET, "/logout"))
      .logoutSuccessHandler(logoutSuccessHandler("/after-life"))

Problem is, a LogoutPageGeneratingWebFilter sits earlier than the LogoutWebFilter in the emitted SecurityWebFilterChain . In that there is a hardcoded .pathMatchers(HttpMethod.GET, "/logout") - which causes my application to always emit a html page on a GET request.

I found no way to suppress the automatic logout page generation :(

Answer 1

As mentioned in the documentation ,

The default is that Spring Security will generate a log in page at "/login" and a log out page at "/logout". If this is customized: The default log in & log out page are no longer provided The application must render a log in page at the provided URL The application must render an authentication error page at the provided URL + "?error" Authentication will occur for POST to the provided URL

Custom configuration to have default login and without default logout.

    @Bean
    public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity httpSecurity){

        LoginPageGeneratingWebFilter loginpage= new LoginPageGeneratingWebFilter();
        loginpage.setFormLoginEnabled(true);
        return httpSecurity
                .addFilterAt(loginpage, SecurityWebFiltersOrder.LOGIN_PAGE_GENERATING)
                .authorizeExchange()
                    .pathMatchers("/home").authenticated()
                        .and().formLogin()                      
                            .loginPage("/login")                         
                        .and()
                        .logout()
                        .logoutUrl("/logout").requiresLogout(ServerWebExchangeMatchers.pathMatchers(HttpMethod.GET, "/logout"))
                        .and()

                .build();

    }

Answer 2

I have the same problem but I am using OAuth2Login and the application is behind a reverse proxy with stripping a prefix and with using a ForwardedHeaderTransformer . Everything works good but a logout page has hardcoded path /logout so there is no way how to add custom prefix. And my solution is change logout url to /logout-oidc

http.logout(logout -> logout
            .requiresLogout(ServerWebExchangeMatchers.pathMatchers(HttpMethod.GET, "/logout-oidc"));

It is bad that there isn't method setLogoutPageGenerating(boolean enable) which can disable LogoutPageGeneratingWebFilter