Home/ Questions/Q 8596417
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-12T00:40:34+00:00

We follow a certain convention when creating our URIs. All authentication related URIs such

  • 0

We follow a certain convention when creating our URIs. All authentication related URIs such as /login, /logout, /changepassword etc fall under the sub-context /auth.

Thus our authentication-related URIs look like:

/auth/login
/auth/logout
/auth/changepassword

This is what we have in the Spring security context XML.

<http pattern="/auth/**" security="none" />
<http pattern="/resources/**" security="none" />

<http auto-config="true" access-decision-manager-ref="accessDecisionManager">
    <intercept-url pattern="/admin/**" access="ADMINISTRATIVE_ACCESS"/>
    <intercept-url pattern="/**" access="XYZ_ACCESS"/>

    <form-login
            login-page="/auth/login"
            default-target-url="/content"
            authentication-failure-url="/auth/loginFailed"
            authentication-success-handler-ref="authenticationSuccessHandler"/>

    <logout logout-url="/auth/logout" logout-success-url="/auth/login"/>
</http>

The problem now is that /auth/logout gives me a 404 when accessed. However, if I change it to start with something other than /auth such as /abcd/logout or even /logout, it works fine.

I am thinking this is due to the fact that we have defined /auth/** as unsecured and yet trying to use it as a logout page. (How can you access logout if you have not logged in?)

Is there any way out of this in order to please our rather strict URI naming convention?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You’re right about the part:

    I am thinking this is due to the fact that we have defined /auth/** as
    unsecured and yet trying to use it as a logout page. (How can you
    access logout if you have not logged in?)

    More precise defining 

    <http pattern="/auth/**" security="none" />

    means no Spring Security filter is applied to requests that match /auth/** pattern and hence Spring Security does not controll /auth/logout URL while it should.

    Because Spring Security matches pattern from top to bottom simple override for /auth/logout in your main <http> won’t work, so solution to that problem can be defining separate patterns:

    <http pattern="/auth/login" security="none" />
<http pattern="/auth/changepassword" security="none" />
<http pattern="/resources/**" security="none" />

<http auto-config="true" use-expressions="true" access-decision-manager-ref="accessDecisionManager">
    <intercept-url pattern="/auth/logout" access="permitAll"/>
    <intercept-url pattern="/admin/**" access="ADMINISTRATIVE_ACCESS"/>
    <intercept-url pattern="/**" access="XYZ_ACCESS"/>
    <!-- rest of your config -->
</http>

    If you have many of /auth/* URLs to be handled, you can use <http>‘s request-matcher="regex", but I don’t think it’ll be readable that way.

    • 0