|
|
@@ -0,0 +1,28 @@
|
|
|
+[[reactive-logout]]
|
|
|
+= Logout
|
|
|
+
|
|
|
+Spring Security provides a logout endpoint by default.
|
|
|
+Once logged in, you can `GET /logout` to see a default logout confirmation page, or you can `POST /logout` to initiate logout.
|
|
|
+This will:
|
|
|
+
|
|
|
+- clear the `ServerCsrfTokenRepository`, `ServerSecurityContextRepository`, and
|
|
|
+- redirect back to the login page
|
|
|
+
|
|
|
+Often, you will want to also invalidate the session on logout.
|
|
|
+To achieve this, you can add the `WebSessionServerLogoutHandler` to your logout configuration, like so:
|
|
|
+
|
|
|
+[source,java]
|
|
|
+----
|
|
|
+@Bean
|
|
|
+SecurityWebFilterChain http(ServerHttpSecurity http) throws Exception {
|
|
|
+ DelegatingServerLogoutHandler logoutHandler = new DelegatingServerLogoutHandler(
|
|
|
+ new WebSessionServerLogoutHandler(), new SecurityContextServerLogoutHandler()
|
|
|
+ );
|
|
|
+
|
|
|
+ http
|
|
|
+ .authorizeExchange((exchange) -> exchange.anyExchange().authenticated())
|
|
|
+ .logout((logout) -> logout.logoutHandler(logoutHandler));
|
|
|
+
|
|
|
+ return http.build();
|
|
|
+}
|
|
|
+----
|
Josh Cummings