[Java / Spring Boot] Spring security ⑤ --Implementation of logout processing

In Spring, let's check the ID and password entered on the login screen with the DB, and easily create a function that prohibits access to a specific URL with user privileges ~ ♪ So far, we have implemented direct link prohibition, login function implementation, error message Japaneseization, password encryption, so we will also implement logout ^ ^

Logout process

• logoutRequestMatcher
• In Spring, logout process sends POST method by default
• Use logoutRequestMatcher when sending by GET
• logoutUrl
• Setting to log out by POST
• logoutSuccessUrl
• Transition destination when logout is successful
• Now when you log out, the user session will be destroyed

SecurityConfig.java

//Partial excerpt, full text is for reference below

//Logout process
    http
         .logout()
         .logoutRequestMatcher(new AntPathRequestMatcher("/logout")) //
         .logoutUrl("/logout") //Logout URL
         .logoutSuccessUrl("/login"); //URL after successful logout

Launch the app and log in from the login screen!

• http://localhost:8080/login
• After logging out with the logout button, the session ended and the login screen was displayed again!

(Reference) Full code

SecurityConfig.java

package com.example.demo;

import javax.sql.DataSource;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
//import org.springframework.security.web.util.matcher.AntPathRequestMatcher;

@EnableWebSecurity
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    //Data source
    @Autowired
    private DataSource dataSource;

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    //SQL statement to get user ID and password
    private static final String USER_SQL = "SELECT"
            + "    user_id,"
            + "    password,"
            + "    true"
            + " FROM"
            + "    m_user"
            + " WHERE"
            + "    user_id = ?";
//
//    //SQL statement to get the user's role
    private static final String ROLE_SQL = "SELECT"
            + "    user_id,"
            + "    role"
            + " FROM"
            + "    m_user"
            + " WHERE"
            + "    user_id = ?";

    @Override
    public void configure(WebSecurity web) throws Exception {

        //No security is applied to access to static resources
        web.ignoring().antMatchers("/webjars/∗∗", "/css/∗∗");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        //Login-free page settings
        http
            .authorizeRequests()
                .antMatchers("/webjars/**").permitAll() //Permission to webjars
                .antMatchers("/css/**").permitAll() //Permission to css
                .antMatchers("/login").permitAll() //Direct link OK for login page
                .antMatchers("/signup").permitAll() //Direct link OK for user registration screen
//                .antMatchers("/admin").hasAuthority("ROLE_ADMIN") //Allow admin users
                .anyRequest().authenticated(); //Other than that, direct link is prohibited

        //Login process
        http
            .formLogin()
                .loginProcessingUrl("/login") //Login process path
                .loginPage("/login") //Specify login page
                .failureUrl("/login") //Transition destination when login fails
                .usernameParameter("userId") //Login page user ID
                .passwordParameter("password") //Login page password
                .defaultSuccessUrl("/home", true); //Transition destination after successful login

        //Logout process
        http
                .logout()
                .logoutRequestMatcher(new AntPathRequestMatcher("/logout")) //
                .logoutUrl("/logout") //Logout URL
                .logoutSuccessUrl("/login"); //URL after successful logout

        //Disable CSRF measures (temporary)
        http.csrf().disable();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {

        //Get user information at the time of login process from DB
        auth.jdbcAuthentication()
                .dataSource(dataSource)
                .usersByUsernameQuery(USER_SQL)
                .authoritiesByUsernameQuery(ROLE_SQL)
                .passwordEncoder(passwordEncoder());
    }
}