18.5.3 Logging Out
Adding CSRF will update the LogoutFilter to only use HTTP POST. This ensures that log out requires a CSRF token and that a malicious user cannot forcibly log out your users.
One approach is to use a form for log out. If you really want a link, you can use JavaScript to have the link perform a POST (i.e. maybe on a hidden form). For browsers with JavaScript that is disabled, you can optionally have the link take the user to a log out confirmation page that will perform the POST.
If you really want to use HTTP GET with logout you can do so, but remember this is generally not recommended. For example, the following Java Configuration will perform logout with the URL /logout is requested with any HTTP method:
@EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .logout() .logoutRequestMatcher(new AntPathRequestMatcher("/logout")); } }
http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#csrf-logout
|
34down voteaccepted
|
From the Spring Security documentation
And, when CSRF protection is enabled
In your case:
You have already determined the possible solutions:
Since you are using Thymeleaf, you will have to do something like the following in your HTML template for the login page: Note that you must use You could change the form submission method to I typically create a Thymeleaf fragment that is then used in all pages with forms to generate the markup for the forms with the CSRF token included. This reduces boilerplate code across the app. |
https://stackoverflow.com/questions/25692735/simple-example-of-spring-security-with-thymeleaf
