How do i configure securityWebFilterChain(ServerHttpSecurity http)
so that my application logs out on GET /logout
?
I have SpringBoot 2
Spring 5
and WebFlux
I tried:
http
.logout()
.requiresLogout(ServerWebExchangeMatchers.pathMatchers(HttpMethod.GET, "/logout"))
.logoutSuccessHandler(logoutSuccessHandler("/after-life"))
Problem is, a LogoutPageGeneratingWebFilter
sits earlier than the LogoutWebFilter
in the emitted SecurityWebFilterChain
. In that there is a hardcoded .pathMatchers(HttpMethod.GET, "/logout")
- which causes my application to always emit a html page on a GET request.
I found no way to suppress the automatic logout page generation :(
As mentioned in the documentation ,
The default is that Spring Security will generate a log in page at "/login" and a log out page at "/logout". If this is customized: The default log in & log out page are no longer provided The application must render a log in page at the provided URL The application must render an authentication error page at the provided URL + "?error" Authentication will occur for POST to the provided URL
Custom configuration to have default login and without default logout.
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity httpSecurity){
LoginPageGeneratingWebFilter loginpage= new LoginPageGeneratingWebFilter();
loginpage.setFormLoginEnabled(true);
return httpSecurity
.addFilterAt(loginpage, SecurityWebFiltersOrder.LOGIN_PAGE_GENERATING)
.authorizeExchange()
.pathMatchers("/home").authenticated()
.and().formLogin()
.loginPage("/login")
.and()
.logout()
.logoutUrl("/logout").requiresLogout(ServerWebExchangeMatchers.pathMatchers(HttpMethod.GET, "/logout"))
.and()
.build();
}
I have the same problem but I am using OAuth2Login and the application is behind a reverse proxy with stripping a prefix and with using a ForwardedHeaderTransformer
. Everything works good but a logout page has hardcoded path /logout
so there is no way how to add custom prefix. And my solution is change logout url to /logout-oidc
http.logout(logout -> logout
.requiresLogout(ServerWebExchangeMatchers.pathMatchers(HttpMethod.GET, "/logout-oidc"));
It is bad that there isn't method setLogoutPageGenerating(boolean enable)
which can disable LogoutPageGeneratingWebFilter
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.