According with the official example (Secure Web Content), I have to use a form and a button with the aim to perform a logout with Spring Security. Is there a way to use a link with Thymeleaf instead of a button?
Logout link with Spring and Thymeleaf
Asked Answered
Style the button as a link. It needs, for security reasons, to be a POST instead of a GET request. You can also configure the logout filter to accept get requests but that is less secure. –
Jewett
Also see docs.spring.io/spring-security/site/docs/3.2.x/reference/… –
Snakebird
You have to use a form for log out. If you really want a link, you can use JavaScript to have the link perform a POST on a hidden form.
<a href="javascript: document.logoutForm.submit()" role="menuitem"> Logout</a>
<form name="logoutForm" th:action="@{/logout}" method="post" th:hidden="true">
<input hidden type="submit" value="Sign Out"/>
</form>
Note that I needed to change the 'hidden' attribute of the 'input' element to 'hidden="true"' –
Slipshod
I have successfully used <a th:href="@{/logout}">Logout</a>
The relevant Spring Security config I used was
http
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/login");
This didn't work for me as <a th:href="@{/logout}">Logout</a> generated get request –
Chainman
Check out this for the configuration, and then just change the html/thymeleaf anchor to a form –
Suntan
With respect to the context of this question I think vdenotaris wants a link not a submit button for the log out functionality. well I think what you can do is create a hyperlink like this :
<a href="#" th:href="@{/logout}">Log Out</a>
and now create a controller with below mapping :
@RequestMapping(value="/logout", method = RequestMethod.GET)
public String logoutPage (HttpServletRequest request, HttpServletResponse response) {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (auth != null){
new SecurityContextLogoutHandler().logout(request, response, auth);
}
return "redirect:/login?logout";
}
this block of code is actually working. a little explanation on how it is working might help other viewers. –
Pirzada
The solution (deprecated!) is:
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/login");
It is recommended to use POST instead of a GET request for security, as mentioned above.
This worked for me. need to find out the way to do it in post –
Chainman
@Deafening Can you please explain why it is DEPRECATED? And should I use it or not? –
Martijn
@Martijn Because this implementation handles the logout process via HTTP GET instead of POST, as stated in my answer. See: docs.spring.io/spring-security/site/docs/current/reference/… –
Deafening
Thats the right answer.
<form th:action="@{/logout}" method="post">
<input type="submit">POST LOGOUT</input>
</form>
if "Is there a way to use a link with Thymeleaf instead of a button?" is the question, how is using a button the right answer? –
Panek
"In order to help protect against CSRF attacks, by default, Spring Security Xml Configuration log out requires:
- the HTTP method must be a POST
- the CSRF token must be added to the request. You can access it on the ServletRequest using the attribute _csrf as illustrated above."
Hello Spring Security Xml Config
<form th:action="@{/logout}" method="post">
<input type="hidden" th:name="${_csrf.parameterName}" th:value="${_csrf.token}" />
<input type="submit">LOGOUT</input>
</form>
Try adding the following snippet of code in your file:
<!--In case of csrf enabled post logout is working -->
<form th:action="@{/logout}" method="post">
<input type="submit" value="POST LOGOUT"></input>
</form>
Using thymeleaf –
Vision
© 2022 - 2024 — McMap. All rights reserved.