Geek Answers Handbook

Why / login? Does logout redirect / login?

In my Spring project, I set the logout destination URL to "/ login? Logout" to display the login page with the message "You are logged out."

In the Spring Security configurator, I did the following:

@Override protected void configure(HttpSecurity http) throws Exception { http .csrf().disable() .authorizeRequests() .antMatchers("/error").permitAll() .anyRequest().fullyAuthenticated() .and() .formLogin() .loginPage("/login") .permitAll() .successHandler(loginSuccessHandler) .failureUrl("/login?error") .and() .httpBasic() .and() .logout() .logoutRequestMatcher(new AntPathRequestMatcher("/logout")) .permitAll() .logoutSuccessHandler(logoutSuccessHandler); }

And logoutSuccessHandler:

 public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException { if (authentication != null) { Log.debug(authentication.getName() + " LOGOUT !!"); } setDefaultTargetUrl("/login?logout"); super.onLogoutSuccess(request, response, authentication); }

When I try to log out, I come to the "/ login" page (without logging out). I don’t understand why it redirects me to this page.

I think the application is trying to redirect me to "/ login? Logout", but since I'm no longer connected, Spring Security wants me to log in again.

When I try to access the "log logout" page during login, a good page is displayed.

I found a solution to this problem by adding the following:

  .authorizeRequests() .antMatchers("/error","/login").permitAll()

Why doesn't loginPage("/login").permitAll() do this? Did I do something wrong?

+7
java spring spring-security
source share
1 answer

Why loginPage("/login").permitAll() not allow access to /login?logout ?

Because when you execute permitAll in FormLoginConfigurer or most other configurators, it only allows access to those exact URLs .

Well, why does authorizeRequests().antMatchers("/login").permitAll() allow access?

Because it uses AntPathRequestMatcher , which matches only the request path , and the path does not contain the query string .

But I know that I saw code that allows me to access /login?logout without any explicit permitAll . What's up with that?

Spring Security likes to provide “reasonable” defaults, and he considers it “reasonable” to provide default login and logout pages if they are not specified. The default /login?logout page is /login?logout , so you can use it if you didn't specify anything. This is done using the DefaultLoginPageGeneratingFilter , which automatically generates some HTML and shortcut URL authorization .

So, why am I losing access to the /login?logout Default /login?logout page when I specify logoutSuccessHandler ?

When you specify your own logoutSuccessHandler or logoutSuccessUrl , Spring Security assumes that you provide your own logout types, so it does not initialize the DefaultLoginPageGeneratingFilter URL DefaultLoginPageGeneratingFilter for a short circuit on the logout page, and expects you to configure the authorization for your own views.

But I want to keep the default exit page. I just want to add some extra operations. Can't I do it?

If you want to specify your own logoutSuccessHandler , but still keep the default view /login?logout , you must tell DefaultLoginPageGeneratingFilter so that it still provides it. You can do this with SecurityConfigurer , as shown below:

 .logoutSuccessHandler(logoutSuccessHandler) .and() .apply(new SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity>() { @Override public void configure(HttpSecurity builder) throws Exception { builder.getSharedObject(DefaultLoginPageGeneratingFilter.class).setLogoutSuccessUrl("/login?logout"); } })
+10
source share

More articles:


All Articles