All worked fine, but when I tried to do logout, I find that instead of session being invalidated; some redirect happens to /login url (which is not exists).
The solution is to tell the logout configuration to only send 200 stauts code and not to redirect to the login page (hence this is a rest app and there's no login page - the client can be mobile app, js client like angular, etc..)
Here's the configurations:
http
.httpBasic()
.and().authorizeRequests()
.antMatchers("/login").permitAll()
.anyRequest().authenticated()
.and().logout().logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler())
.and().csrf().disable(); // for development only
No comments:
Post a Comment