I have basic configuration for Spring SEcurity. The logout button works perfectly fine over HTTP but problem appears when dealing with HTTPS. My security config looks like this:
<http use-expressions="true" auto-config="false" entry-point-ref="http403EntryPoint"
access-denied-page="/accessDenied">
<intercept-url pattern="/**" access="hasRole('AA_ACCESS')" requires-channel="any"/>
<custom-filter position="PRE_AUTH_FILTER" ref="siteminderFilter"/>
<session-management>
<concurrency-control max-sessions="1" expired-url="/sessionExpired"/>
</session-management>
<logout invalidate-session="true" delete-cookies="JSESSIONID"/>
</http>
The logout button:
<a href="<c:url value="${requestScope.pageContext.servletContext.contextPath}/j_spring_security_logout" />">Logout</a>
As I said, everything works fine over HTTP, but not HTTPS.
I get error 404 Page not found. Ports the app is running is: 11501 for JBoss AS, while HTTPS is Apache with ajp connector to JBoss, apache is 16000, ajp 8009.
Luke Taylor was right. It’s not Spring Secuiry issue. Remember kids, check everything twice after your colleagues. In my case, Apache VirtualHost was wrongly configured:
Notice additional slash at the end of ProxyPass, that was the problem