diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurer.java index 7e71ca5ff9..c590a04e65 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurer.java @@ -98,18 +98,36 @@ public final class LogoutConfigurer> extends Ab } /** - * The URL that triggers logout to occur on HTTP POST. The default is "/logout" - * @param logoutUrl the URL that will invoke logout. + * The URL that triggers log out to occur on HTTP POST. The default is + * "/logout". + * + *

+ * It is considered best practice to use an HTTP POST on any action that + * changes state (i.e. log out) to protect against CSRF + * attacks. If you really want to use an HTTP GET, you can use + * logoutRequestMatcher(new AntPathRequestMatcher(logoutUrl, "GET")); + *

+ * + * @see #logoutRequestMatcher(RequestMatcher) + * + * @param logoutUrl + * the URL that will invoke logout. * @return the {@link LogoutConfigurer} for further customization */ public LogoutConfigurer logoutUrl(String logoutUrl) { return logoutRequestMatcher(new AntPathRequestMatcher(logoutUrl, "POST")); } - /** - * The RequestMatcher that triggers logout to occur on HTTP POST. The default is "/logout" - * @param logoutRequestMatcher the RequestMatcher used to determine if logout should occur. + * The RequestMatcher that triggers log out to occur. In most circumstances + * users will use {@link #logoutUrl(String)} which helps enforce good + * practices. + * + * @see #logoutUrl(String) + * + * @param logoutRequestMatcher + * the RequestMatcher used to determine if logout should occur. * @return the {@link LogoutConfigurer} for further customization */ public LogoutConfigurer logoutRequestMatcher(RequestMatcher logoutRequestMatcher) {