Grails Spring Security Plugin - Logout postOnly setting

Published On: February 25, 2014 • ☕️ 1 min read

I had a question come in about a setting in Spring Security so I thought I would take a quick minute and explain it in case anyone else also has the same question. There is a setting

'grails.plugin.springsecurity.logout.postOnly = true'

that is true by default. If you look at the LogoutController's index action this make a little more sense.

@Secured('permitAll')
class LogoutController {

	/\*\*
	 \* Index action. Redirects to the Spring security logout uri.
	 \*/
	def index() {

		if (!request.post && SpringSecurityUtils.getSecurityConfig().logout.postOnly) {
			response.sendError HttpServletResponse.SC\_METHOD\_NOT\_ALLOWED // 405
			return
		}

		// TODO put any pre-logout code here
		redirect uri: SpringSecurityUtils.securityConfig.logout.filterProcessesUrl // '/j\_spring\_security\_logout'
	}
}

All this is saying is that to Logout we must have that request made in the form of a post. An easy way to do that is create a link to the logout controller (remember index is our default action).

 [Logout](${createLink(controller: 'logout')})

If you try and just visit the URL http://localhost:8080/{your\_context}/logout you can tell by the code that this should throw a 405 error, and it does.

405 Error

grails
Follow me on Twitter, LinkedIn, or sign up for my newsletter to get my latest articles and tutorials.
Dan Vega

Dan Vega

I’m a Husband, Father, Spring Developer Advocate and maker of things from Cleveland Ohio. I created this website as a place to document my journey as I learn new things and share them with you. I have a real passion for teaching and I hope that one of blog posts, videos or courses helps you solve a problem or learn something new.