Spring Security Java Config not generating logout url

I am using Spring 4.0.5.RELEASE and Spring Security 3.2.4.

I am trying to create a simple sample app using java config (based on the Spring samples). The app starts up and the authentication works correctly, that is, I am redirected to a login form when accessing protected url /settings/profile

However there is no /logout url generated? if I hit localhost:8080/logout I get a 404.

I've used similar code on a previous project, so maybe has something to do with versions?

Heres my Security Config

@Configuration
@EnableWebMvcSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().withUser("user").password("password").roles("USER");
        auth.inMemoryAuthentication().withUser("admin").password("password").roles("ADMIN");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/settings/**").hasRole("ROLE_ADMIN")
                    .and()
                .formLogin()
                    .and()
                .logout()
                    .deleteCookies("remove")
                    .invalidateHttpSession(true)
                    .logoutUrl("/logout")
                    .logoutSuccessUrl("/logout-success")
                .permitAll();
    }
}

Here is my WebAppInitializer to bootstrap the app

 public class WebAppInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {

    @Override
    protected Class<?>[] getRootConfigClasses() {
        return new Class<?>[] { SecurityConfig.class , MvcConfig.class };
    }

    @Override
    protected Class<?>[] getServletConfigClasses() {
        return null;
    }

    @Override
    protected String[] getServletMappings() {
         return new String[] {"/"};
    }
}

and finally my MvcConfig

@EnableWebMvc
@Configuration
@ComponentScan(basePackages = {"web"})
public class MvcConfig extends WebMvcConfigurerAdapter {

    @Bean
    public ViewResolver viewResolver() {
        InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();
        viewResolver.setViewClass(JstlView.class);
        viewResolver.setPrefix("/WEB-INF/views");
        viewResolver.setSuffix(".jsp");
        return viewResolver;
    }
}

By any chance, do you know how to configure this with xml ?

I am facing a similar problem. I am doing a POST /appContextRoot/logout and passing the necessary XSRF-TOKEN header, and I still get a 404. Is there more to it?

Worth noting that this is not best practice, as it opens you up to potential CSRF attacks. From the JavaDoc: The URL that triggers log out to occur (default is "/logout"). If CSRF protection is enabled (default), then the request must also be a POST. This means that by default POST "/logout" is required to trigger a log out. If CSRF protection is disabled, then any HTTP method is allowed. It is considered best practice to use an HTTP POST on any action that changes state (i.e. log out) to protect against CSRF attacks. ...

in many cases, like in an old JSP, using a normal logout link will aways send a GET request, but you can use a form as a workaround like described here: stackoverflow.com/questions/6791238/…

better yet, without JavaScript, but styling the button as a link: stackoverflow.com/a/22076149/160799