spring-security/docs/modules/ROOT/pages/reactive/authentication/logout.adoc

[[reactive-logout]]
= Logout

Spring Security provides a logout endpoint by default.
Once logged in, you can `GET /logout` to see a default logout confirmation page, or you can `POST /logout` to initiate logout.
This will:

- clear the `ServerCsrfTokenRepository`, `ServerSecurityContextRepository`, and
- redirect back to the login page

Often, you will want to also invalidate the session on logout.
To achieve this, you can add the `WebSessionServerLogoutHandler` to your logout configuration, like so:

[tabs]
======
Java::
+
[source,java,role="primary"]
----
@Bean
SecurityWebFilterChain http(ServerHttpSecurity http) throws Exception {
    DelegatingServerLogoutHandler logoutHandler = new DelegatingServerLogoutHandler(
            new SecurityContextServerLogoutHandler(), new WebSessionServerLogoutHandler()
    );

    http
        .authorizeExchange((exchange) -> exchange.anyExchange().authenticated())
        .logout((logout) -> logout.logoutHandler(logoutHandler));

    return http.build();
}
----

Kotlin::
+
[source,kotlin,role="secondary"]
----
@Bean
fun http(http: ServerHttpSecurity): SecurityWebFilterChain {
    val customLogoutHandler = DelegatingServerLogoutHandler(
        SecurityContextServerLogoutHandler(), WebSessionServerLogoutHandler()
    )
    
    return http {
        authorizeExchange {
            authorize(anyExchange, authenticated)
        }
        logout {
            logoutHandler = customLogoutHandler
        }
    }
}
----
======
Docs for WebSessionServerLogoutHandler Issue gh-4838 2021-08-16 15:09:42 -04:00			`[[reactive-logout]]`
			`= Logout`

			`Spring Security provides a logout endpoint by default.`
			Once logged in, you can `GET /logout` to see a default logout confirmation page, or you can `POST /logout` to initiate logout.
			`This will:`

			- clear the `ServerCsrfTokenRepository`, `ServerSecurityContextRepository`, and
			`- redirect back to the login page`

			`Often, you will want to also invalidate the session on logout.`
			To achieve this, you can add the `WebSessionServerLogoutHandler` to your logout configuration, like so:

Merge branch '5.6.x' into 5.7.x Closes gh-13404 2023-06-18 22:31:35 -04:00			`[tabs]`
			`======`
			`Java::`
			`+`
Add Kotlin example for logout configuration of reactive authentication Closes gh-10819 2022-02-10 11:07:20 -05:00			`[source,java,role="primary"]`
Docs for WebSessionServerLogoutHandler Issue gh-4838 2021-08-16 15:09:42 -04:00			`----`
			`@Bean`
			`SecurityWebFilterChain http(ServerHttpSecurity http) throws Exception {`
			`DelegatingServerLogoutHandler logoutHandler = new DelegatingServerLogoutHandler(`
Fix ServerLogoutHandler Order in Docs Closes gh-14379 2024-03-04 17:42:05 -05:00			`new SecurityContextServerLogoutHandler(), new WebSessionServerLogoutHandler()`
Docs for WebSessionServerLogoutHandler Issue gh-4838 2021-08-16 15:09:42 -04:00			`);`

			`http`
			`.authorizeExchange((exchange) -> exchange.anyExchange().authenticated())`
			`.logout((logout) -> logout.logoutHandler(logoutHandler));`

			`return http.build();`
			`}`
			`----`
Add Kotlin example for logout configuration of reactive authentication Closes gh-10819 2022-02-10 11:07:20 -05:00
Merge branch '5.6.x' into 5.7.x Closes gh-13404 2023-06-18 22:31:35 -04:00			`Kotlin::`
			`+`
Add Kotlin example for logout configuration of reactive authentication Closes gh-10819 2022-02-10 11:07:20 -05:00			`[source,kotlin,role="secondary"]`
			`----`
			`@Bean`
			`fun http(http: ServerHttpSecurity): SecurityWebFilterChain {`
			`val customLogoutHandler = DelegatingServerLogoutHandler(`
Fix ServerLogoutHandler Order in Docs Closes gh-14379 2024-03-04 17:42:05 -05:00			`SecurityContextServerLogoutHandler(), WebSessionServerLogoutHandler()`
Add Kotlin example for logout configuration of reactive authentication Closes gh-10819 2022-02-10 11:07:20 -05:00			`)`

			`return http {`
			`authorizeExchange {`
			`authorize(anyExchange, authenticated)`
			`}`
			`logout {`
			`logoutHandler = customLogoutHandler`
			`}`
			`}`
			`}`
			`----`
Merge branch '5.6.x' into 5.7.x Closes gh-13404 2023-06-18 22:31:35 -04:00			`======`