Spring security automatically enables csrf, which automatically disabled GET logouts. You can fix this by disabling csrf protection by settings <csrf disabled="true"/>in the <http>, or just using a POST.

Spring security 会自动启用 csrf，它会自动禁用 GET 注销。您可以通过禁用CSRF保护通过设置解决这个问题<csrf disabled="true"/>的<http>，或者只是使用POST。

See http://docs.spring.io/spring-security/site/docs/4.0.1.RELEASE/reference/htmlsingle/#csrf-logout

见http://docs.spring.io/spring-security/site/docs/4.0.1.RELEASE/reference/htmlsingle/#csrf-logout

Simply, put the following code in the jsp where you want to have the logout-

简单的，把下面的代码放在你想要注销的jsp中——

<c:url var="logoutUrl" value="/j_spring_security_logout" />
    <form action="${logoutUrl}" id="logout" method="post">
        <input type="hidden" name="${_csrf.parameterName}"
            value="${_csrf.token}" />
    </form>
    <a href="#" onclick="document.getElementById('logout').submit();">Logout</a>

Corresponding entry in the bean configuration file-

bean配置文件中的对应条目——

<security:logout logout-url="/j_spring_security_logout" logout-success-url="/whateverPageYouWant" invalidate-session="true" />

-This worked for me for spring-security-4.*

- 这对 spring-security-4 对我有用。*

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
   //...
   http.logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout"));
  }
}

1. The logout url is "/j_spring_security_logout" so edit your view accordingly

2. CSRF is by default enabled which will require every POST request (which the logout is) to have a CSRF token. So either disable CSRF (which I will not recommend) or frame the logout inside a form with action as above logout url and a hidden input with CSRF token like this

1. 注销 url 是“/j_spring_security_logout”，因此相应地编辑您的视图

2. CSRF 默认是启用的，这将要求每个 POST 请求（即注销）都有一个 CSRF 令牌。因此，要么禁用 CSRF（我不推荐），要么在表单中框住注销，其操作如上述注销 url 和带有 CSRF 令牌的隐藏输入，如下所示

With Spring security 4.2.13 I have a managed to make this work by navigating to the logout URL through a form submission (POST method) instead of using a link.

使用 Spring security 4.2.13，我设法通过表单提交（POST 方法）而不是使用链接导航到注销 URL 来完成这项工作。

I replaced <p><a href="<c:url value='/logout'/>">Log out</a></p>with

我<p><a href="<c:url value='/logout'/>">Log out</a></p>用

<form name='f' action='${pageContext.request.contextPath}/logout' method='POST'>
<input name="logout" type="submit" value="Log out" />
<input name="${_csrf.parameterName}" type="hidden"
    value="${_csrf.token}" />
</form>

in my view layer, which is a JSP page. This way you will get a button instead of a link. (In older Spring versions the default logout URL was "/j_spring_security_logout".)

在我的视图层，这是一个 JSP 页面。这样，您将获得一个按钮而不是链接。（在较早的 Spring 版本中，默认的注销 URL 是“/j_spring_security_logout”。）

Add to Spring Security:

添加到 Spring Security：

<logout
 logout-success-url="/anonymous.html"
 logout-url="/perform_logout"
 delete-cookies="JSESSIONID" />

under httptag

在http标签下

Note that there is no "logout page". the /logout is Spring's endpoint, that let Spring know that the app asks to logout a user, so it invokes a specific handler.

请注意，没有“注销页面”。/logout 是 Spring 的端点，它让 Spring 知道应用程序要求注销用户，因此它调用特定的处理程序。

After logging the user out, Spring redirects to another page, and you can configure the "default target" in your XML.

用户注销后，Spring 重定向到另一个页面，您可以在 XML 中配置“默认目标”。