: I'm getting through the Spring Security and AngularJS tutorial (http://spring.io/guides/tutorials/spring-security-and-angular-js
). And facing a problem in Part 5 (SSO with OAuth2): if I use separate SecurityConfiguration in the UI (like in vanilla or spring-session parts, https://github.com/spring-guides/tut-spring-security-and-angular-js/blob/master/spring-session/ui/src/main/java/demo/UiApplication.java)
, then the custom csrfHeaderFilter doesn't get applied (at least I suspect so), the default version of OncePerRequestFilter is applied instead, which seems to be using X-CSRF-TOKEN, rather than X-XSRF-TOKEN. As a result I get following message when logout:
DEBUG 8634 --- [nio-8080-exec-2] o.s.security.web.csrf.CsrfFilter: Invalid CSRF token found for http://localhost:8080/logout
. If I do all configuration in the UiApplication (like here https://github.com/spring-guides/tut-spring-security-and-angular-js/blob/master/oauth2-vanilla/ui/src/main/java/demo/UiApplication.java
), then I don't get the invalid token message. The question is what is the difference and why this happens? What to do if I want my configuration in a separate class?
Another question wrt part5 is when I logout (the case above without csrf problem) I'm forwarded to '#/', which looks like logged out screen (no logout button, no greeting), but as soon as I refresh the page, I see the screen as I logged in (without logging in). Is it because I'm still logged in on AuthorizationServer or there is something wrong in my code?