Giters

vdenotaris / spring-boot-security-saml-sample

SBS3 — A sample SAML 2.0 Service Provider built on Spring Boot.

Home Page:https://sbs3.vdenotaris.com

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Is a default LogoutFilter needed?

FlasH-RUS opened this issue · comments

commented

Hi,
First, thanks for this sample :)
Second, I have a question (that may resolve into an actual issue).
Why does your WebSecurityConfig contain a default Spring LogoutFilter configuration:

        http
            .logout()
                .logoutSuccessUrl("/");

From what I understand after hours spent on making Spring SAML work correctly, it (Spring SAML) overrides the default logout behavior with its own (available at /saml/logout), therefore the default Spring LogoutFilter doesn't make sense anymore (it's still available by POST to /logout, but it literally does nothing except for redirecting to /). So since LogoutConfigurer comes as a default and WebSecurityConfig uses defaults (by reusing a default constructor which in turn calls this(false)), does it makes sense to replace the snippet above with http.logout.disable(); at least to avoid confusion?

commented

You suggestion is absolutely right. This issue will be fixed in the next release.
Thanks a lot for your contribution. 👍