io.micronaut.security.endpoints.LogoutController is annotated by @Secured(SecurityRule.IS_ANONYMOUS)
In general one would expect a user to be authenticated before logout. What am I missing?
Asked
Active
Viewed 191 times
0
destan
- 4,301
- 3
- 35
- 62
-
Your question is a bit opinion-based, and you should consider asking Micronaut maintainers about it to get the most accurate answer. I'm guessing, however, that it is intended to avoid the login-logout infinite loop. If this endpoint required authentication, you would be redirected to the login page. Once logged in, you would be redirected to the logout page. And the infinite cycle starts. When this endpoint does not require authentication, it gives you a chance to either display message like "You are not logged in", or simply redirect to the main controller. – Szymon Stepniak Jun 08 '21 at 07:29
1 Answers
0
You're right that it doesn't make sense to logout without being logged in, but if there was a non-anonymous rule for the controller and you access it without being logged in, it would trigger a login. The best thing to do is to let it be a no-op for non-authenticated access.
Burt Beckwith
- 75,342
- 5
- 143
- 156