Below is my security config:
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http){
http
.authorizeExchange(authorizeExchangeSpec ->
authorizeExchangeSpec
.pathMatchers("/login").permitAll()
.anyExchange().authenticated()
.and()
.formLogin().disable()
.csrf().disable()
.oauth2Login())
.exceptionHandling(exceptionHandlingSpec ->
exceptionHandlingSpec.authenticationEntryPoint(new RedirectServerAuthenticationEntryPoint("/login")));
return http.build();
}
I have a customized login page which works fine, and when i access the application, the custom login page is rendered. But, now when I try to logout form the application, using /logout GET call, it does not work. If I remove the custom login page configuration:
exceptionHandling(exceptionHandlingSpec ->
exceptionHandlingSpec.authenticationEntryPoint(new RedirectServerAuthenticationEntryPoint("/login")))
And then try /logout GET call from the client, it works fine and default spring security behavior is seen for logout, where the call redirects to logout confirmation page and a logout button is displayed.
But after customization, the above default behavior is not working, looking at the logs I can see the spring security expects /logout to be POST call:
DEBUG o.s.s.w.s.u.m.PathPatternParserServerWebExchangeMatcher - Request 'GET /logout' doesn't match 'POST /logout'
27-03-2024 11:34:19.553 [reactor-http-nio-8] DEBUG o.s.s.w.s.u.m.OrServerWebExchangeMatcher - No matches found
This authentication mechanism is implemented into a gateway, and I can't have a post call in gateway application, how do I get the GET /logout (default spring-secuirty) behavior to work.
I tried the configuration as suggested in the spring secuirty doc:OIDC-Logout, but as spring expects POST call, I am unable to get the logout to work, the session is not getting removed in gateway application nor is the RP-Initiated logout working through logoutSuccessHandler