Spring Security - How to log out with default configurations?

[Last Updated: Jul 15, 2018]

This example demonstrates how to automatically logout with default Spring security configuration.

To logout, we just need to access URL '/logout' with POST request.

In the POST /logout form, we also need to include the CSRF token, which is a protection against CSRF attack.

Let's see the example how to do that.

Java Config class

@Configuration
@EnableWebSecurity
@EnableWebMvc
@ComponentScan
public class AppConfig extends WebSecurityConfigurerAdapter {

  protected void configure(HttpSecurity http) throws Exception {
      http.authorizeRequests()
          .anyRequest().authenticated()
          .and()
          .formLogin();
  }

  @Override
  public void configure(AuthenticationManagerBuilder builder)
          throws Exception {
      builder.inMemoryAuthentication()
             .withUser("joe")
             .password("123")
             .roles("ADMIN");
  }

  @Bean
  public ViewResolver viewResolver() {
      InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();
      viewResolver.setPrefix("/WEB-INF/views/");
      viewResolver.setSuffix(".jsp");
      return viewResolver;
  }
}

Note that, in above configuration, we are also overriding configure(HttpSecurity http) to omit the default Basic Authentication (see the original method in WebSecurityConfigurerAdapter source code) and use form based Authentication. We are doing so because browsers cache the Basic Authentication information aggressively (after the first successful login) and there is no way to logout the user in the current session. In most of the examples, we will not be using Basic Authentication mechanism.

A controller

@Controller
public class ExampleController {

  @RequestMapping("/")
  public String handleRequest2(ModelMap map) {
      map.addAttribute("time", LocalDateTime.now().toString());
      return "my-page";
  }
}

The JSP page

src/main/webapp/WEB-INF/views/my-page.jsp

<html lang="en">
<body>
 <h2>Spring Security Example</h2>
 <p>Time: ${time}</p>
  <form action="/logout" method="post">
     <input type="hidden"
            name="${_csrf.parameterName}"
            value="${_csrf.token}"/>
  <input type="submit" value="Logout">
</form>
</body>
</html>

To try examples, run embedded tomcat (configured in pom.xml of example project below):

mvn tomcat7:run-war

Output

Initial access to URI '/' will redirect to '/login':

After submitting user name and password as we setup in our AppConfig class:

Clicking on 'Logout' button:

Example Project

Dependencies and Technologies Used:

spring-security-web 4.2.3.RELEASE: spring-security-web.
spring-security-config 4.2.3.RELEASE: spring-security-config.
spring-webmvc 4.3.9.RELEASE: Spring Web MVC.
javax.servlet-api 3.1.0 Java Servlet API
JDK 1.8
Maven 3.3.9

Default Spring Security Logout with MVC

Select All

Download

spring-security-mvc-logout-example
- src
  - main
    - java
      - com
        logicbig
        example
        
        AppConfig.java
        
        ExampleController.java
        
        SpringSecurityInitializer.java
        
        WebAppInitializer.java
    - webapp
      - WEB-INF
        views
        
        my-page.jsp
- pom.xml