Describe the bug
When configuring SecurityWebFilterChain with http.logout().disable() the default LogoutPageGeneratingWebFilter is still created, registered and listening to GET calls to /logout. It seems there is no way to disable this or change the route matcher to anything other than GET on /logout.
To Reproduce Register a SecurityWebFilterChain bean similar to:
@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http){
http
.oauth2Login()
.and()
.logout().disable()
}
Navigate in browser to http://hostname/logout and the default logout page is shown asking if you want to logout.
Expected behavior
I would expect that if logout is disabled then the logout page generating filter would not be registered/listening at /logout. Alternatively, I would have expected that if changing the logout.logoutUrl("/someOtherLogout") then the page generating filter would have been changed to that location as well or even better that the matcher could be set explicitly on the LogoutPageGeneratingWebFilter in a similar way as the logout().requiresLogout(ServerWebExchangeMatchers.pathMatchers(HttpMethod.GET, "/customLogoutPath"));
Sample
A link to a GitHub repository with a minimal, reproducible sample.
Reports that include a sample will take priority over reports that do not. At times, we may require a sample, so it is good to try and include a sample up front.
Comment From: rwinch
Thanks for the report. A few additional thoughts:
- I think we should also ensure it is easy to disable the default logout page but yet still support log out.
- I think anything that disables the default login page should probably disable the default log out page.
Comment From: eleftherias
I have pushed a fix in dfd0047. This fix simply changes the default behaviour, to not create the logout page if logout is disabled.
I have created gh-9938 to capture the additional feature of disabling the default logout page while still supporting log out.