John Vasileff (Migrated from SEC-2575) said:
SecurityContextHolderAwareRequestFilter is installed well after CsrfFilter, so HttpServletRequest methods such as logout(), getUserPrincipal(), etc. cannot be used when handling CsrfExceptions.
I noticed this when attempting to call request.logout() in a handler defined as the error-page in web.xml, but I imagine the same would be true in an AccessDeniedHandler. FWIW, with Tomcat, the logout() call results in a NPE in org.apache.catalina.connector.Request.logout().
If possible, it would be nice to have the request wrapped immediately after SecurityContextPersistenceFilter, or at least before any filters that would reasonably be expected to thrown an exception.
Comment From: spring-projects-issues
Rob Winch said:
Thanks for the report. This sounds like a fairly reasonable proposal. However, there are a lot of nuances that come with the Filter ordering that need to be taken into consideration. I have scheduled this on the 4.0.x backlog with the intention of investigating further and including it in the 4.0.x release assuming it does not cause any issues.
NOTE: Rather than invoking logout directly, it might be easier to simply redirect to the logout URL itself.
Comment From: spring-projects-issues
John Vasileff said:
Thanks Rob. I went with session.invalidate() which should be good enough for my purposes. The redirect wouldn't work because, at least for now, I'm requiring the recommended CSRF protected POST for logouts.
Comment From: spring-projects-issues
Rob Winch said:
Ha good point. I'm glad you found a workaround. Another thing you could do is gather all LogoutHandler instances and invoke them.
Comment From: rwinch
Closing as invalid. We do not want logout to be invoked within CsrfFilter because that changes the state of the application and is potentially a CSRF attack.