For the latest stable version, please use Spring Security 6.3.4! |
Logout
Spring Security provides a logout endpoint by default.
Once logged in, you can GET /logout
to see a default logout confirmation page, or you can POST /logout
to initiate logout.
This will:
-
clear the
ServerCsrfTokenRepository
,ServerSecurityContextRepository
, and -
redirect back to the login page
Often, you will want to also invalidate the session on logout.
To achieve this, you can add the WebSessionServerLogoutHandler
to your logout configuration, like so:
-
Java
-
Kotlin
@Bean
SecurityWebFilterChain http(ServerHttpSecurity http) throws Exception {
DelegatingServerLogoutHandler logoutHandler = new DelegatingServerLogoutHandler(
new WebSessionServerLogoutHandler(), new SecurityContextServerLogoutHandler()
);
http
.authorizeExchange((exchange) -> exchange.anyExchange().authenticated())
.logout((logout) -> logout.logoutHandler(logoutHandler));
return http.build();
}
@Bean
fun http(http: ServerHttpSecurity): SecurityWebFilterChain {
val customLogoutHandler = DelegatingServerLogoutHandler(
WebSessionServerLogoutHandler(), SecurityContextServerLogoutHandler()
)
return http {
authorizeExchange {
authorize(anyExchange, authenticated)
}
logout {
logoutHandler = customLogoutHandler
}
}
}