Is a default LogoutFilter needed?
FlasH-RUS opened this issue · comments
Hi,
First, thanks for this sample :)
Second, I have a question (that may resolve into an actual issue).
Why does your WebSecurityConfig contain a default Spring LogoutFilter configuration:
http
.logout()
.logoutSuccessUrl("/");
From what I understand after hours spent on making Spring SAML work correctly, it (Spring SAML) overrides the default logout behavior with its own (available at /saml/logout), therefore the default Spring LogoutFilter doesn't make sense anymore (it's still available by POST to /logout, but it literally does nothing except for redirecting to /). So since LogoutConfigurer comes as a default and WebSecurityConfig uses defaults (by reusing a default constructor which in turn calls this(false)
), does it makes sense to replace the snippet above with http.logout.disable();
at least to avoid confusion?
You suggestion is absolutely right. This issue will be fixed in the next release.
Thanks a lot for your contribution. 👍