Spring Security 4.x set logout method to GET with xml config

Question

I am moving from Spring Security 3.2 to 4.1, and I (still) use xml configuration.

It seems that using the <logout /> element does not allow setting the http method to GET .

Is this true?

If, yes, does it mean I have to create a Controller mapping to "/logout" and log out programmatically from there?

Answer 1

Due to legacy reasons, I have to use GET for my LogOutFilter and XML config. The below works. Note I don't recommend working around the csrf protection but I've had to.

This might help others.

    <b:bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
    <b:constructor-arg name="logoutSuccessUrl" value="/loggedOut" />
    <b:constructor-arg name="handlers">
        <b:list>
            <b:bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/>
        </b:list>
    </b:constructor-arg>
    <b:property name="logoutRequestMatcher">
        <b:bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
            <b:constructor-arg name="pattern" value="/logout*"/>
            <b:constructor-arg name="httpMethod" value="GET"/>
        </b:bean>
    </b:property>
</b:bean>

Remember to put the custom filter in the element

<custom-filter before="CSRF_FILTER" ref="logoutFilter" />

The key thing here is that you register your own logoutRequestMatcher