Bogdan Zeleniuk Bogdan Zeleniuk - 2 months ago 25
Java Question

spring security gives the error while redirecting to logout.jsp

I have the


exception while redirecting to logout.jsp page. I think I give this exception because of wrong spring security config file but I don`t know where is it. If somebody know, how to fix it, than please tell me.
What does it mean? My code:

spring security config:

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

protected void configure(HttpSecurity http) throws Exception {
.antMatchers("/js/**", "/css/**").permitAll()


logout buttom:

<div class="navbar navbar-default navbar-fixed-top" role="navigation">
<div class="container">
<a class="navbar-brand">Contacts List</a>

<div class="collapse navbar-collapse">
<form class="navbar-form navbar-right">
<a class="btn btn-primary" role="button" href="logout">Logout</a>

and login.jsp:
<jsp:include page="headTag.jsp"/>
<div class="navbar navbar-default navbar-fixed-top" role="navigation">
<div class="container">
<div class="navbar-collapse collapse">
<ul class="nav navbar-nav navbar-right">
<c:url value="/j_spring_security_check" var="loginUrl"/>
<form:form class="navbar-form" role="form" action="${loginUrl}"
<div class="form-group">
<label for="username"> Login: </label>
<div class="col-sm-3">
<input type="text" placeholder="Login" class="form-control" name='username' id="username">
<div class="form-group">
<label for="password"> Password: </label>
<div class="col-sm-3">
<input type="password" placeholder="Password" class="form-control" name='password' id="password">
<div class="form-group">
<button type="submit" class="btn btn-success">Sign in</button>
<form class="navbar-form" action="<c:url value="register.jsp" />">
<button class="btn btn-sm btn-block btn-primary" role="button">Register</button>
<div class="jumbotron">
<div class="container">
<c:if test="${not empty error}">
<div class="error">${error}</div>
<c:if test="${not empty logout}">
<div class="message">${logout}</div>

<p>User login: <b> Bill </b></p>
<p>User password: <b> 112233 </b></p>

<p>Стек технологий: <a href="">Spring Security</a>,
<a href="">Spring MVC</a>,
<a href="">Spring Data JPA</a>,
<a href="">Spring Security
<a href="">Hibernate ORM</a>,
<a href="">Hibernate Validator</a>,
<a href="">SLF4J</a>,
<a href="">Json Jackson</a>,
<a href="">JSP</a>,
<a href="">JSTL</a>,
<a href="">Apache Tomcat</a>,
<a href="">WebJars</a>,
<a href="">DataTables plugin</a>,
<a href="">Ehcache</a>,
<a href="">PostgreSQL</a>,
<a href="">JUnit</a>,
<a href="">Hamcrest</a>,
<a href="">jQuery</a>,
<a href="">jQuery notification</a>,
<a href="">Bootstrap</a>.</p>
<jsp:include page="footer.jsp"/>


public class RootController extends AbstractUserController implements ErrorController {

private static final String PATH = "/error";

@RequestMapping(value = "/", method = RequestMethod.GET)
public String root() {
return "redirect:/contacts";

@RequestMapping(value = "/contacts", method = RequestMethod.GET)
public String contactList() {
return "contacts";

@RequestMapping(value = "/login", method = {RequestMethod.GET, RequestMethod.POST})
public String login(Model model, @RequestParam(value = "error", required = false) boolean error){
model.addAttribute("error", error);
return "login";

@RequestMapping(value="/logout", method = {RequestMethod.GET, RequestMethod.POST})
public String logoutPage (HttpServletRequest request, HttpServletResponse response) {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (auth != null){
new SecurityContextLogoutHandler().logout(request, response, auth);
return "logout";

@RequestMapping(value = "/register", method = RequestMethod.GET)
public String register(ModelMap model) {
model.addAttribute("userDTO", new UserDTO());
model.addAttribute("register", true);
return "register";

@RequestMapping(value = PATH)
public String error(){
return "redirect:/login";

@RequestMapping(value = "/register", method = RequestMethod.POST)
public String saveRegister(@Valid UserDTO userDTO, BindingResult result, SessionStatus status, ModelMap model) {
if (!result.hasErrors()) {
try {
return "redirect:login?message=app.registered";
} catch (DataIntegrityViolationException ex) {
result.rejectValue("Login", "---");
model.addAttribute("register", true);
return "contacts";

public String getErrorPath() {
return PATH;

Thanks guys.

dur dur

With request /logoutyou process the logout and after successful logout you redirect to /logout, which tries another logout.

See LogoutConfigurer#logoutUrl

The URL that triggers log out to occur (default is "/logout"). If CSRF protection is enabled (default), then the request must also be a POST. This means that by default POST "/logout" is required to trigger a log out. If CSRF protection is disabled, then any HTTP method is allowed.

and LogoutConfigurer#logoutSuccessUrl

The URL to redirect to after logout has occurred.

You have to use two different URLs for processing and successful logout. The first URL must no exist and is only for the LogoutFilter. The second has to be implemented by your application.