15 January 2016

spring security java config for REST service

I am trying to setup spring security for REST service in spring.

All worked fine, but when I tried to do logout, I find that instead of session being invalidated; some redirect happens to /login url (which is not exists).

The solution is to tell the logout configuration to only send 200 stauts code and not to redirect to the login page (hence this is a rest app and there's no login page - the client can be mobile app, js client like angular, etc..)

Here's the configurations:

http
.httpBasic()
.and().authorizeRequests()
.antMatchers("/login").permitAll()
.anyRequest().authenticated()
.and().logout().logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler())

.and().csrf().disable(); // for development only
Post a Comment