| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354 |
- [[reactive-logout]]
- = Logout
- Spring Security provides a logout endpoint by default.
- Once logged in, you can `GET /logout` to see a default logout confirmation page, or you can `POST /logout` to initiate logout.
- This will:
- - clear the `ServerCsrfTokenRepository`, `ServerSecurityContextRepository`, and
- - redirect back to the login page
- Often, you will want to also invalidate the session on logout.
- To achieve this, you can add the `WebSessionServerLogoutHandler` to your logout configuration, like so:
- [tabs]
- ======
- Java::
- +
- [source,java,role="primary"]
- ----
- @Bean
- SecurityWebFilterChain http(ServerHttpSecurity http) throws Exception {
- DelegatingServerLogoutHandler logoutHandler = new DelegatingServerLogoutHandler(
- new SecurityContextServerLogoutHandler(), new WebSessionServerLogoutHandler()
- );
- http
- .authorizeExchange((exchange) -> exchange.anyExchange().authenticated())
- .logout((logout) -> logout.logoutHandler(logoutHandler));
- return http.build();
- }
- ----
- Kotlin::
- +
- [source,kotlin,role="secondary"]
- ----
- @Bean
- fun http(http: ServerHttpSecurity): SecurityWebFilterChain {
- val customLogoutHandler = DelegatingServerLogoutHandler(
- SecurityContextServerLogoutHandler(), WebSessionServerLogoutHandler()
- )
-
- return http {
- authorizeExchange {
- authorize(anyExchange, authenticated)
- }
- logout {
- logoutHandler = customLogoutHandler
- }
- }
- }
- ----
- ======
|
