Search code examples
springrestgrailsspring-securityspring-security-rest

404 when do logout in Spring Security Rest Plugin for Grails

I'm setting the security system on my project (Grails - Angularjs) with Spring Security Rest Plugin v1.5.4 (using spring security core 2.0.0) for Grails 2.4.4. Doc about this plugin can be found here.

I'm testing the login and logout with postman chrome rest client and I'm able to do a login OK, but I'm getting a 404 when I do logout.

In the documentation clearly says:

The logout filter exposes an endpoint for deleting tokens. It will read the token from an HTTP header. If found, will delete it from the storage, sending a 200 response. Otherwise, it will send a 404 response

You can configure it in Config.groovy using this properties:

Config key...................................................................................Default value

grails.plugin.springsecurity.rest.logout.endpointUrl....................../api/logout grails.plugin.springsecurity.rest.token.validation.headerName....X-Auth-Token

So, after doing a login successfully, I tried to do a logout to that url (my_host_url/api/logout) with a GET method and sending a header X-Auth-Token with the token I got previously from login.

But I keep getting a 404. See image below

enter image description here

Edit: I'm setting the chain map like this (in order to get a stateless behavior):

grails.plugin.springsecurity.filterChain.chainMap = [
        '/api/**': 'JOINED_FILTERS,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter',  // Stateless chain
        '/**': 'JOINED_FILTERS,-restTokenValidationFilter,-restExceptionTranslationFilter'                                                                          // Traditional chain
]

So. What am I doing wrong here, or what am I missing?

Thanks in advance!

Solution

  • You missed another excerpt from the docs. It's a warning message literally before the chunk you quoted, and says:

    Logout is not possible when using JWT tokens (the default strategy), as no state is kept in the server.

    If you still want to have logout, you can provide your own implementation by creating a subclass of JwtTokenStorageService and overriding the methods storeToken and removeToken. Then, register your implementation in resources.groovy as tokenStorageService.