stackoom
  简体   繁体   中英

Logout doesn't work with Spring Boot, Spring Security and Thymleaf

 原文  2021-02-26 11:43:09       java/ spring-boot/ spring-security/ thymeleaf

Question

I'm trying to add a logout function for our Spring Boot application but Spring logout does not work... The authenticated user still exists and it doesn't clear the security context. What actually surprises me, it works sometimes and sometimes it doesn't. I have no idea why!

Thymeleaf: 

<li><a class="dropdown-item" href="javascript: document.logoutForm.submit()" role="menuitem"><i class="fas fa-sign-out-alt"></i> Logout</a></li>
           <form name="logoutForm" th:action="@{/logout}" method="post" th:hidden="true">
                        <input hidden type="submit" value="Sign Out"/>
            </form>

Here is my code block for logout;

.logout()
.clearAuthentication(true)
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/oauth2/authorization/login")
.addLogoutHandler(new HeaderWriterLogoutHandler(
      new ClearSiteDataHeaderWriter(
            ClearSiteDataHeaderWriter.Directive.CACHE,
            ClearSiteDataHeaderWriter.Directive.COOKIES,
            ClearSiteDataHeaderWriter.Directive.STORAGE)));

I also tried but it didn't help;

.deleteCookies("JSESSIONID")
.invalidateHttpSession(true)

Does anyone have any idea why it has such strange behavior?

2 answers

solution1
 1 ACCPTED  2021-03-03 23:47:27

Let me assume the problem is incomplete configuration for oauth2 login/logout configuration:

@EnableWebSecurity
public class WebSecurity extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .antMatchers("/").permitAll()
                .anyRequest().authenticated()
                .and()
                .logout()
                .logoutSuccessHandler(logoutSuccessHandler())
                .invalidateHttpSession(true)
                .clearAuthentication(true)
                .deleteCookies("JSESSIONID")
                .and()
                .oauth2Login();
    }
    
    private LogoutSuccessHandler logoutSuccessHandler() { 
        ...
    }
}

Pay attention to two moments:

  • .oauth2Login() - configures authentication support using an OAuth 2.0
  • .logoutSuccessHandler(...) - redirects on proper oauth2 server logout endpoint for user ending session. Unfortunate I don't know your oauth2 provider, anyway I recommend look at OidcClientInitiatedLogoutSuccessHandler to figure out how to redirect to the logout url. if you don't use openid oauth2 provider you can implement you own logout handler based on SimpleUrlLogoutSuccessHandler , you should know only logout url and url parameter for redirecting after success logout on oauth2 server.

solution2
 0  2021-02-26 14:13:16

I had similar issue. Now it is resolved. I used below code:

.and().logout().logoutSuccessUrl("/logoutSuccess").deleteCookies("JSESSIONID").invalidateHttpSession(true);

Try this one. It is working on my machine.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Spring Security Logout doesn't work with Spring 4 CORS UsernameNotFoundException: Login form in Spring Boot + Spring Security doesn't work Spring security authentication without spring boot doesn't work as opposed to with spring boot and similar configuration Thymeleaf security doesn't work properly (Spring Boot) Spring Boot Actuator Endpoints security doesn't work with custom Spring Security Configuration spring boot security using JSP as view engine logout does not work Spring Security @PreAuthorize annotaion doesn't work CrossOrigin annotation doesn't work with spring security spring security + rest doesn't work Securing app with Spring Security doesn't work
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM