Open Oceanedge opened 6 years ago
I'm experiencing the same problem. Debugging now. Please let me know if you figured out a solution.
Yes, I figured out a solution using form logout with POST method.
@Oceanedge Can you explain more how you enabled logging out?
Open the home.jsp view (src/main/webapp/WEB-INF/views/home.jsp) and change this line that's inside of one of the security:authorize elements on the page:
<li><a href="j_spring_security_logout">Logout</a>, log out directly and return to this page.</li>
to this:
`
I created a logout method in the Homecontroller.java
class as below
imports
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
The method
@RequestMapping("/j_spring_security_logout")
public String logout(Principal p, HttpServletRequest request,
HttpServletResponse response) {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (auth != null){
new SecurityContextLogoutHandler().logout(request, response, auth);
}
SecurityContextHolder.getContext().setAuthentication(null);
return "home";
}
On the server we changed it to the POST with CSRF protection to avoid drive-by session termination and other session-based attacks on users, and this is now the default with Spring. I would not recommend making this change.
The simple-web-app demo application should probably be updated with the POST code above.
I setup an env to run OpenID-Connect-Java-Spring-Server(on 8080 port) & simple-web-app(on 8082 port) via mvn jetty:run on same host. Both are based on master HEAD code. I found the logout is not working on simple-web-app. Always return: HTTP ERROR 404 Problem accessing /simple-web-app/j_spring_security_logout. Reason: