Enable CSRF on logout

pass-core-main/src/main/java/org/eclipse/pass/main/security/SecurityConfiguration.java

@@ -85,10 +85,8 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         // Enable CSRF protection using a cookie to send the token. See
         // https://docs.spring.io/spring-security/reference/servlet/exploits/csrf.html#csrf-integration-javascript-spa
         // Make sure the cookie value can be parsed when returned in a header
-        // Do not protect /logout so it can be triggered with GET
         // Ensure that GET requests to the doi service are protected since they have side effects
         http.csrf(csrf -> csrf.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
-                .ignoringRequestMatchers("/logout")
                 .requireCsrfProtectionMatcher(new OrRequestMatcher(CsrfFilter.DEFAULT_CSRF_MATCHER,
                         new AntPathRequestMatcher("/doi/**")))
                 .csrfTokenRequestHandler(new SpaCsrfTokenRequestHandler()));
@@ -124,8 +122,6 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 
         http.saml2Metadata(Customizer.withDefaults());
 
-        http.saml2Logout(Customizer.withDefaults());
-
         // Delete specified cookies on logout.
         // Each cookie is specified as a name and path separated by whitespace.
         Cookie[] cookies = logoutDeleteCookies.stream().map(s -> {
@@ -137,10 +133,9 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
             return c;
         }).toArray(Cookie[]::new);
 
-        // Allow GET on /logout
         CookieClearingLogoutHandler logoutHandler = new CookieClearingLogoutHandler(cookies);
-        http.logout(l -> l.logoutSuccessUrl(logoutSuccessUrl).
-                logoutRequestMatcher(new AntPathRequestMatcher("/logout")).addLogoutHandler(logoutHandler));
+        http.logout(l -> l.logoutSuccessUrl(logoutSuccessUrl)
+                .addLogoutHandler(logoutHandler));
 
         // Map SAML user to PASS user
         http.addFilterAfter(passAuthFilter, Saml2WebSsoAuthenticationFilter.class);

pass-core-main/src/test/java/org/eclipse/pass/main/security/AccessControlTest.java

@@ -19,6 +19,7 @@
 import static org.junit.jupiter.api.Assertions.assertNotEquals;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.junit.jupiter.api.Assertions.fail;
 
 import java.io.IOException;
@@ -799,14 +800,21 @@ public void testLogout() throws IOException {
         {
             String url = getBaseUrl() + "logout";
 
-            Request request = new Request.Builder().url(url).get().build();
+            RequestBody body = RequestBody.create("{}", JSON_API_MEDIA_TYPE);
+            Request request = new Request.Builder().url(url)
+                .header("Accept", JSON_API_CONTENT_TYPE)
+                .header("Content-Type", JSON_API_CONTENT_TYPE)
+                .header("X-XSRF-TOKEN", getCsrfToken())
+                .post(body).build();
             Response response = client.newCall(request).execute();
 
-            assertEquals(204, response.code());
+            assertEquals(200, response.code());
+            assertEquals("http://localhost:8080/login", response.request().url().toString());
+            assertTrue(response.priorResponse().isRedirect());
         }
 
         // Session cookie deleted
-        assertEquals(null, get_cookie("JSESSIONID"));
+        assertNull(get_cookie("JSESSIONID"));
 
         {
             String url = getBaseUrl() + "app/";