29 lines
976 B
Plaintext
29 lines
976 B
Plaintext
|
[[reactive-logout]]
|
||
|
|
= Logout
|
||
|
|
|
||
|
|
Spring Security provides a logout endpoint by default.
|
||
|
|
Once logged in, you can `GET /logout` to see a default logout confirmation page, or you can `POST /logout` to initiate logout.
|
||
|
|
This will:
|
||
|
|
|
||
|
|
- clear the `ServerCsrfTokenRepository`, `ServerSecurityContextRepository`, and
|
||
|
|
- redirect back to the login page
|
||
|
|
|
||
|
|
Often, you will want to also invalidate the session on logout.
|
||
|
|
To achieve this, you can add the `WebSessionServerLogoutHandler` to your logout configuration, like so:
|
||
|
|
|
||
|
|
[source,java]
|
||
|
|
----
|
||
|
|
@Bean
|
||
|
|
SecurityWebFilterChain http(ServerHttpSecurity http) throws Exception {
|
||
|
|
DelegatingServerLogoutHandler logoutHandler = new DelegatingServerLogoutHandler(
|
||
|
|
new WebSessionServerLogoutHandler(), new SecurityContextServerLogoutHandler()
|
||
|
|
);
|
||
|
|
|
||
|
|
http
|
||
|
|
.authorizeExchange((exchange) -> exchange.anyExchange().authenticated())
|
||
|
|
.logout((logout) -> logout.logoutHandler(logoutHandler));
|
||
|
|
|
||
|
|
return http.build();
|
||
|
|
}
|
||
|
|
----
|