2018-09-18 17:09:18 -05:00
[[webflux-headers]]
2019-10-24 15:03:05 -05:00
= Security HTTP Response Headers
2018-09-18 17:09:18 -05:00
2021-12-13 16:57:36 -06:00
You can use xref:features/exploits/headers.adoc#headers[Security HTTP Response Headers] to increase the security of web applications.
2021-04-21 16:01:26 -05:00
This section is dedicated to WebFlux-based support for Security HTTP Response Headers.
2018-09-18 17:09:18 -05:00
2019-11-07 10:55:27 -06:00
[[webflux-headers-default]]
== Default Security Headers
2018-09-18 17:09:18 -05:00
2021-08-10 15:21:42 -05:00
Spring Security provides a xref:features/exploits/headers.adoc#headers-default[default set of Security HTTP Response Headers] to provide secure defaults.
2021-04-21 16:01:26 -05:00
While each of these headers are considered best practice, it should be noted that not all clients use the headers, so additional testing is encouraged.
2018-09-18 17:09:18 -05:00
You can customize specific headers.
2021-12-13 16:57:36 -06:00
For example, assume that you want the defaults but you wish to specify `SAMEORIGIN` for xref:servlet/exploits/headers.adoc#servlet-headers-frame-options[`X-Frame-Options`].
2018-09-18 17:09:18 -05:00
2021-04-21 16:01:26 -05:00
You can do so with the following configuration:
2018-09-18 17:09:18 -05:00
2020-07-14 16:34:30 +02:00
.Customize Default Security Headers
2023-06-18 21:30:41 -05:00
[tabs]
======
Java::
+
2020-07-14 16:34:30 +02:00
[source,java,role="primary"]
2018-09-18 17:09:18 -05:00
----
@Bean
2019-07-24 12:15:32 -04:00
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
2018-09-18 17:09:18 -05:00
http
// ...
2020-01-10 13:10:36 +01:00
.headers(headers -> headers
.frameOptions(frameOptions -> frameOptions
.mode(Mode.SAMEORIGIN)
)
2019-07-22 09:31:10 -04:00
);
2018-09-18 17:09:18 -05:00
return http.build();
}
----
2020-07-14 16:34:30 +02:00
2023-06-18 21:30:41 -05:00
Kotlin::
+
2020-07-14 16:34:30 +02:00
[source,kotlin,role="secondary"]
----
@Bean
fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
// ...
headers {
frameOptions {
mode = Mode.SAMEORIGIN
}
}
}
}
----
2023-06-18 21:30:41 -05:00
======
2018-09-18 17:09:18 -05:00
2021-04-21 16:01:26 -05:00
If you do not want the defaults to be added and want explicit control over what should be used, you can disable the defaults:
2018-09-18 17:09:18 -05:00
2019-11-07 10:55:27 -06:00
.Disable HTTP Security Response Headers
2023-06-18 21:30:41 -05:00
[tabs]
======
Java::
+
2020-07-14 16:34:30 +02:00
[source,java,role="primary"]
2018-09-18 17:09:18 -05:00
----
@Bean
2019-07-24 12:15:32 -04:00
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
2018-09-18 17:09:18 -05:00
http
// ...
2020-01-10 13:10:36 +01:00
.headers(headers -> headers.disable());
2018-09-18 17:09:18 -05:00
return http.build();
}
----
2020-07-14 16:34:30 +02:00
2023-06-18 21:30:41 -05:00
Kotlin::
+
2020-07-14 16:34:30 +02:00
[source,kotlin,role="secondary"]
----
@Bean
fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
// ...
headers {
disable()
}
}
}
----
2023-06-18 21:30:41 -05:00
======
2018-09-18 17:09:18 -05:00
[[webflux-headers-cache-control]]
2018-09-18 20:30:45 -05:00
== Cache Control
2018-09-18 17:09:18 -05:00
2021-08-10 15:21:42 -05:00
Spring Security includes xref:features/exploits/headers.adoc#headers-cache-control[Cache Control] headers by default.
2018-09-18 17:09:18 -05:00
2021-04-21 16:01:26 -05:00
However, if you actually want to cache specific responses, your application can selectively add them to the https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/http/server/reactive/ServerHttpResponse.html[`ServerHttpResponse`] to override the header set by Spring Security.
This is useful to ensure that such things as CSS, JavaScript, and images are properly cached.
2018-09-18 17:09:18 -05:00
2021-04-21 16:01:26 -05:00
When using Spring WebFlux, you typically do so within your configuration.
2021-12-13 16:57:36 -06:00
You can find details on how to do so in the https://docs.spring.io/spring/docs/5.0.0.RELEASE/spring-framework-reference/web-reactive.html#webflux-config-static-resources[Static Resources] portion of the Spring Reference documentation.
2019-11-07 10:55:27 -06:00
If necessary, you can also disable Spring Security's cache control HTTP response headers.
2018-09-18 17:09:18 -05:00
2019-11-07 10:55:27 -06:00
.Cache Control Disabled
2023-06-18 21:30:41 -05:00
[tabs]
======
Java::
+
2020-07-14 16:34:30 +02:00
[source,java,role="primary"]
2018-09-18 17:09:18 -05:00
----
@Bean
2019-07-24 12:15:32 -04:00
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
2018-09-18 17:09:18 -05:00
http
// ...
2020-01-10 13:10:36 +01:00
.headers(headers -> headers
.cache(cache -> cache.disable())
2019-07-22 09:31:10 -04:00
);
2018-09-18 17:09:18 -05:00
return http.build();
}
----
2020-07-14 16:34:30 +02:00
2023-06-18 21:30:41 -05:00
Kotlin::
+
2020-07-14 16:34:30 +02:00
[source,kotlin,role="secondary"]
----
@Bean
fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
// ...
headers {
cache {
disable()
}
}
}
}
----
2023-06-18 21:30:41 -05:00
======
2019-11-07 10:55:27 -06:00
2018-09-18 17:09:18 -05:00
[[webflux-headers-content-type-options]]
2018-09-18 20:30:45 -05:00
== Content Type Options
2021-12-13 16:57:36 -06:00
By default, Spring Security includes xref:features/exploits/headers.adoc#headers-content-type-options[Content-Type] headers.
2021-04-21 16:01:26 -05:00
However, you can disable it:
2018-09-18 17:09:18 -05:00
2020-07-14 16:34:30 +02:00
.Content Type Options Disabled
2023-06-18 21:30:41 -05:00
[tabs]
======
Java::
+
2020-07-14 16:34:30 +02:00
[source,java,role="primary"]
2018-09-18 17:09:18 -05:00
----
@Bean
2019-07-24 12:15:32 -04:00
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
2018-09-18 17:09:18 -05:00
http
// ...
2020-01-10 13:10:36 +01:00
.headers(headers -> headers
.contentTypeOptions(contentTypeOptions -> contentTypeOptions.disable())
2019-07-22 09:31:10 -04:00
);
2018-09-18 17:09:18 -05:00
return http.build();
}
----
2020-07-14 16:34:30 +02:00
2023-06-18 21:30:41 -05:00
Kotlin::
+
2020-07-14 16:34:30 +02:00
[source,kotlin,role="secondary"]
----
@Bean
fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
// ...
headers {
contentTypeOptions {
disable()
}
}
}
}
----
2023-06-18 21:30:41 -05:00
======
2018-09-18 17:09:18 -05:00
[[webflux-headers-hsts]]
2018-09-18 20:30:45 -05:00
== HTTP Strict Transport Security (HSTS)
2021-12-13 16:57:36 -06:00
By default, Spring Security provides the xref:features/exploits/headers.adoc#headers-hsts[Strict Transport Security] header.
2019-11-07 10:55:27 -06:00
However, you can customize the results explicitly.
2021-04-21 16:01:26 -05:00
For example, the following example explicitly provides HSTS:
2018-09-18 17:09:18 -05:00
2020-07-14 16:34:30 +02:00
.Strict Transport Security
2023-06-18 21:30:41 -05:00
[tabs]
======
Java::
+
2020-07-14 16:34:30 +02:00
[source,java,role="primary"]
2018-09-18 17:09:18 -05:00
----
@Bean
2019-07-24 12:15:32 -04:00
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
2018-09-18 17:09:18 -05:00
http
// ...
2020-01-10 13:10:36 +01:00
.headers(headers -> headers
.hsts(hsts -> hsts
.includeSubdomains(true)
.preload(true)
.maxAge(Duration.ofDays(365))
)
2019-07-22 09:31:10 -04:00
);
2018-09-18 17:09:18 -05:00
return http.build();
}
----
2020-07-14 16:34:30 +02:00
2023-06-18 21:30:41 -05:00
Kotlin::
+
2020-07-14 16:34:30 +02:00
[source,kotlin,role="secondary"]
----
@Bean
fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
// ...
headers {
hsts {
includeSubdomains = true
preload = true
maxAge = Duration.ofDays(365)
}
}
}
}
----
2023-06-18 21:30:41 -05:00
======
2018-09-18 17:09:18 -05:00
[[webflux-headers-frame-options]]
2018-09-18 20:30:45 -05:00
== X-Frame-Options
2021-12-13 16:57:36 -06:00
By default, Spring Security disables rendering within an iframe by using xref:features/exploits/headers.adoc#headers-frame-options[`X-Frame-Options`].
2018-09-18 17:09:18 -05:00
2021-04-21 16:01:26 -05:00
You can customize frame options to use the same origin:
2018-09-18 17:09:18 -05:00
2019-11-07 10:55:27 -06:00
.X-Frame-Options: SAMEORIGIN
2023-06-18 21:30:41 -05:00
[tabs]
======
Java::
+
2020-07-14 16:34:30 +02:00
[source,java,role="primary"]
2018-09-18 17:09:18 -05:00
----
@Bean
2019-07-24 12:15:32 -04:00
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
2018-09-18 17:09:18 -05:00
http
// ...
2020-01-10 13:10:36 +01:00
.headers(headers -> headers
.frameOptions(frameOptions -> frameOptions
.mode(SAMEORIGIN)
)
2019-07-22 09:31:10 -04:00
);
2018-09-18 17:09:18 -05:00
return http.build();
}
----
2020-07-14 16:34:30 +02:00
2023-06-18 21:30:41 -05:00
Kotlin::
+
2020-07-14 16:34:30 +02:00
[source,kotlin,role="secondary"]
----
@Bean
fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
// ...
headers {
frameOptions {
mode = SAMEORIGIN
}
}
}
}
----
2023-06-18 21:30:41 -05:00
======
2018-09-18 17:09:18 -05:00
[[webflux-headers-xss-protection]]
2018-09-18 20:30:45 -05:00
== X-XSS-Protection
2022-10-06 12:00:31 +02:00
By default, Spring Security instructs browsers to disable the XSS Auditor by using <<headers-xss-protection,X-XSS-Protection header>.
You can disable the `X-XSS-Protection` header entirely:
2018-09-18 17:09:18 -05:00
2019-11-07 10:55:27 -06:00
.X-XSS-Protection Customization
2023-06-18 21:30:41 -05:00
[tabs]
======
Java::
+
2020-07-14 16:34:30 +02:00
[source,java,role="primary"]
2018-09-18 17:09:18 -05:00
----
@Bean
2019-07-24 12:15:32 -04:00
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
2018-09-18 17:09:18 -05:00
http
// ...
2020-01-10 13:10:36 +01:00
.headers(headers -> headers
.xssProtection(xssProtection -> xssProtection.disable())
2019-07-22 09:31:10 -04:00
);
2018-09-18 17:09:18 -05:00
return http.build();
}
----
2020-07-14 16:34:30 +02:00
2023-06-18 21:30:41 -05:00
Kotlin::
+
2020-07-14 16:34:30 +02:00
[source,kotlin,role="secondary"]
----
@Bean
fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
// ...
headers {
xssProtection {
disable()
}
}
}
}
----
2023-06-18 21:30:41 -05:00
======
2018-09-18 17:09:18 -05:00
2022-10-06 12:00:31 +02:00
You can also change the header value:
.X-XSS-Protection Explicit header value
2023-06-18 21:33:58 -05:00
[tabs]
======
Java::
+
2022-10-06 12:00:31 +02:00
[source,java,role="primary"]
----
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http
// ...
.headers(headers -> headers
.xssProtection(xssProtection -> xssProtection.headerValue(XXssProtectionServerHttpHeadersWriter.HeaderValue.ENABLED_MODE_BLOCK))
);
return http.build();
}
----
2023-06-18 21:33:58 -05:00
Kotlin::
+
2022-10-06 12:00:31 +02:00
[source,kotlin,role="secondary"]
----
@Bean
fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
// ...
headers {
xssProtection {
headerValue = XXssProtectionServerHttpHeadersWriter.HeaderValue.ENABLED_MODE_BLOCK
}
}
}
}
----
2023-06-18 21:33:58 -05:00
======
2022-10-06 12:00:31 +02:00
2018-09-18 17:09:18 -05:00
[[webflux-headers-csp]]
2018-09-18 20:30:45 -05:00
== Content Security Policy (CSP)
2021-12-13 16:57:36 -06:00
By default, Spring Security does not add xref:features/exploits/headers.adoc#headers-csp[Content Security Policy], because a reasonable default is impossible to know without the context of the application.
The web application author must declare the security policies to enforce and/or monitor for the protected resources.
2018-09-18 17:09:18 -05:00
2021-04-21 16:01:26 -05:00
For example, consider the following security policy:
2018-09-18 17:09:18 -05:00
2019-11-07 10:55:27 -06:00
.Content Security Policy Example
[source,http]
2018-09-18 17:09:18 -05:00
----
2019-11-07 10:55:27 -06:00
Content-Security-Policy: script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/
2018-09-18 17:09:18 -05:00
----
2021-04-21 16:01:26 -05:00
Given the preceding policy, you can enable the CSP header:
2018-09-18 17:09:18 -05:00
2019-11-07 10:55:27 -06:00
.Content Security Policy
2023-06-18 21:30:41 -05:00
[tabs]
======
Java::
+
2020-07-14 16:34:30 +02:00
[source,java,role="primary"]
2018-09-18 17:09:18 -05:00
----
@Bean
2019-07-24 12:15:32 -04:00
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
2018-09-18 17:09:18 -05:00
http
// ...
2020-01-10 13:10:36 +01:00
.headers(headers -> headers
.contentSecurityPolicy(policy -> policy
.policyDirectives("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/")
)
2019-07-22 09:31:10 -04:00
);
2018-09-18 17:09:18 -05:00
return http.build();
}
----
2020-07-14 16:34:30 +02:00
2023-06-18 21:30:41 -05:00
Kotlin::
+
2020-07-14 16:34:30 +02:00
[source,kotlin,role="secondary"]
----
@Bean
fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
// ...
headers {
contentSecurityPolicy {
policyDirectives = "script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/"
}
}
}
}
----
2023-06-18 21:30:41 -05:00
======
2018-09-18 17:09:18 -05:00
2020-07-14 16:34:30 +02:00
To enable the CSP `report-only` header, provide the following configuration:
2018-09-18 17:09:18 -05:00
2019-11-07 10:55:27 -06:00
.Content Security Policy Report Only
2023-06-18 21:30:41 -05:00
[tabs]
======
Java::
+
2020-07-14 16:34:30 +02:00
[source,java,role="primary"]
2018-09-18 17:09:18 -05:00
----
@Bean
2019-07-24 12:15:32 -04:00
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
2018-09-18 17:09:18 -05:00
http
// ...
2020-01-10 13:10:36 +01:00
.headers(headers -> headers
.contentSecurityPolicy(policy -> policy
.policyDirectives("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/")
.reportOnly()
)
2019-07-22 09:31:10 -04:00
);
2018-09-18 17:09:18 -05:00
return http.build();
}
----
2020-07-14 16:34:30 +02:00
2023-06-18 21:30:41 -05:00
Kotlin::
+
2020-07-14 16:34:30 +02:00
[source,kotlin,role="secondary"]
----
@Bean
fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
// ...
headers {
contentSecurityPolicy {
policyDirectives = "script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/"
reportOnly = true
}
}
}
}
----
2023-06-18 21:30:41 -05:00
======
2018-09-18 17:09:18 -05:00
[[webflux-headers-referrer]]
2018-09-18 20:30:45 -05:00
== Referrer Policy
2018-09-18 17:09:18 -05:00
2023-07-20 15:36:27 -03:00
Spring Security adds the xref:features/exploits/headers.adoc#headers-referrer[Referrer Policy] header by default with the directive `no-referrer`.
You can change the Referrer Policy header using configuration as shown below:
2018-09-18 17:09:18 -05:00
2020-07-14 16:34:30 +02:00
.Referrer Policy Configuration
2023-06-18 21:30:41 -05:00
[tabs]
======
Java::
+
2020-07-14 16:34:30 +02:00
[source,java,role="primary"]
2018-09-18 17:09:18 -05:00
----
@Bean
2019-07-24 12:15:32 -04:00
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
2018-09-18 17:09:18 -05:00
http
// ...
2020-01-10 13:10:36 +01:00
.headers(headers -> headers
.referrerPolicy(referrer -> referrer
.policy(ReferrerPolicy.SAME_ORIGIN)
)
2019-07-22 09:31:10 -04:00
);
2018-09-18 17:09:18 -05:00
return http.build();
}
----
2020-07-14 16:34:30 +02:00
2023-06-18 21:30:41 -05:00
Kotlin::
+
2020-07-14 16:34:30 +02:00
[source,kotlin,role="secondary"]
----
@Bean
fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
// ...
headers {
referrerPolicy {
policy = ReferrerPolicy.SAME_ORIGIN
}
}
}
}
----
2023-06-18 21:30:41 -05:00
======
2018-09-18 17:09:18 -05:00
[[webflux-headers-feature]]
2018-09-18 20:30:45 -05:00
== Feature Policy
2018-09-18 17:09:18 -05:00
2021-12-13 16:57:36 -06:00
By default, Spring Security does not add xref:features/exploits/headers.adoc#headers-feature[Feature Policy] headers.
2021-04-21 16:01:26 -05:00
Consider the following `Feature-Policy` header:
2018-09-18 17:09:18 -05:00
2019-11-07 10:55:27 -06:00
.Feature-Policy Example
2018-09-18 17:09:18 -05:00
[source]
----
Feature-Policy: geolocation 'self'
----
2021-04-21 16:01:26 -05:00
You can enable the preceding Feature Policy header:
2018-09-18 17:09:18 -05:00
2020-07-14 16:34:30 +02:00
.Feature-Policy Configuration
2023-06-18 21:30:41 -05:00
[tabs]
======
Java::
+
2020-07-14 16:34:30 +02:00
[source,java,role="primary"]
2018-09-18 17:09:18 -05:00
----
@Bean
2019-07-24 12:15:32 -04:00
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
2018-09-18 17:09:18 -05:00
http
// ...
2020-01-10 13:10:36 +01:00
.headers(headers -> headers
.featurePolicy("geolocation 'self'")
2019-07-22 09:31:10 -04:00
);
2018-09-18 17:09:18 -05:00
return http.build();
}
----
2020-07-14 16:34:30 +02:00
2023-06-18 21:30:41 -05:00
Kotlin::
+
2020-07-14 16:34:30 +02:00
[source,kotlin,role="secondary"]
----
@Bean
fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
// ...
headers {
featurePolicy("geolocation 'self'")
}
}
}
----
2023-06-18 21:30:41 -05:00
======
2019-09-20 13:02:06 -06:00
2020-12-04 23:00:09 +01:00
[[webflux-headers-permissions]]
== Permissions Policy
2021-12-13 16:57:36 -06:00
By default, Spring Security does not add xref:features/exploits/headers.adoc#headers-permissions[Permissions Policy] headers.
2021-04-21 16:01:26 -05:00
Consider the following `Permissions-Policy` header:
2020-12-04 23:00:09 +01:00
.Permissions-Policy Example
[source]
----
Permissions-Policy: geolocation=(self)
----
2021-04-21 16:01:26 -05:00
You can enable the preceding Permissions Policy header:
2020-12-04 23:00:09 +01:00
.Permissions-Policy Configuration
2023-06-18 21:30:41 -05:00
[tabs]
======
Java::
+
2020-12-04 23:00:09 +01:00
[source,java,role="primary"]
----
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http
// ...
.headers(headers -> headers
.permissionsPolicy(permissions -> permissions
.policy("geolocation=(self)")
)
);
return http.build();
}
----
2023-06-18 21:30:41 -05:00
Kotlin::
+
2020-12-04 23:00:09 +01:00
[source,kotlin,role="secondary"]
----
@Bean
fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
// ...
headers {
permissionsPolicy {
policy = "geolocation=(self)"
}
}
}
}
----
2023-06-18 21:30:41 -05:00
======
2020-12-04 23:00:09 +01:00
2019-11-07 10:55:27 -06:00
[[webflux-headers-clear-site-data]]
2019-09-20 13:02:06 -06:00
== Clear Site Data
2021-12-13 16:57:36 -06:00
By default, Spring Security does not add xref:features/exploits/headers.adoc#headers-clear-site-data[Clear-Site-Data] headers.
2021-04-21 16:01:26 -05:00
Consider the following `Clear-Site-Data` header:
2019-09-20 13:02:06 -06:00
2019-11-07 10:55:27 -06:00
.Clear-Site-Data Example
2019-09-20 13:02:06 -06:00
----
2019-11-07 10:55:27 -06:00
Clear-Site-Data: "cache", "cookies"
2019-09-20 13:02:06 -06:00
----
2021-04-21 16:01:26 -05:00
You can send the `Clear-Site-Data` header on logout:
2019-09-20 13:02:06 -06:00
2020-07-14 16:34:30 +02:00
.Clear-Site-Data Configuration
2023-06-18 21:30:41 -05:00
[tabs]
======
Java::
+
2020-07-14 16:34:30 +02:00
[source,java,role="primary"]
2019-09-20 13:02:06 -06:00
----
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
ServerLogoutHandler securityContext = new SecurityContextServerLogoutHandler();
2019-11-07 10:55:27 -06:00
ClearSiteDataServerHttpHeadersWriter writer = new ClearSiteDataServerHttpHeadersWriter(CACHE, COOKIES);
ServerLogoutHandler clearSiteData = new HeaderWriterServerLogoutHandler(writer);
2019-09-20 13:02:06 -06:00
DelegatingServerLogoutHandler logoutHandler = new DelegatingServerLogoutHandler(securityContext, clearSiteData);
http
// ...
.logout()
2019-11-07 10:55:27 -06:00
.logoutHandler(logoutHandler);
2019-09-20 13:02:06 -06:00
return http.build();
}
----
2020-07-14 16:34:30 +02:00
2023-06-18 21:30:41 -05:00
Kotlin::
+
2020-07-14 16:34:30 +02:00
[source,kotlin,role="secondary"]
----
@Bean
fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
val securityContext: ServerLogoutHandler = SecurityContextServerLogoutHandler()
val writer = ClearSiteDataServerHttpHeadersWriter(CACHE, COOKIES)
val clearSiteData: ServerLogoutHandler = HeaderWriterServerLogoutHandler(writer)
val customLogoutHandler = DelegatingServerLogoutHandler(securityContext, clearSiteData)
return http {
// ...
logout {
logoutHandler = customLogoutHandler
}
}
}
----
2023-06-18 21:30:41 -05:00
======
