Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Document Clear Site Data 

Fixes gh-7463
This commit is contained in:
Josh Cummings 2019-09-20 13:02:06 -06:00
parent 124d9964d7
commit 38e87568a6
No known key found for this signature in database
GPG Key ID: 49EF60DD7FF83443
2 changed files with 78 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
docs/manual/src/docs/asciidoc/_includes/reactive/headers.adoc
View File

@ -486,3 +486,43 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
return http.build();
}
----
[[webflux-headers-clearsitedata]]
== Clear Site Data
https://www.w3.org/TR/clear-site-data/[Clear Site Data] is a mechanism by which any browser-side data - cookies, local storage, and the like - can be removed when an HTTP response contains this header:
[source]
----
Clear-Site-Data: "cache", "cookies", "storage", "executionContexts"
----
This is a nice clean-up action to perform on logout.
[[webflux-headers-clearsitedata-configure]]
=== Configuring Clear Site Data
Spring Security *_doesn't add_* the Clear Site Data header by default.
You can configure your application to send down this header on logout like so:
[source,java]
----
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
ServerLogoutHandler securityContext = new SecurityContextServerLogoutHandler();
ServerLogoutHandler clearSiteData = new HeaderWriterServerLogoutHandler(new ClearSiteDataServerHttpHeadersWriter());
DelegatingServerLogoutHandler logoutHandler = new DelegatingServerLogoutHandler(securityContext, clearSiteData);
http
// ...
.logout()
.logoutHandler(logoutHandler);
return http.build();
}
----
[NOTE]
It's not recommended that you configure this header writer via the `headers()` directive.
The reason for this is that any session state, say the `JSESSIONID` cookie, would be removed, effectively logging the user out.

38
docs/manual/src/docs/asciidoc/_includes/servlet/web/headers.adoc
View File

@ -814,6 +814,44 @@ WebSecurityConfigurerAdapter {
}
----
[[headers-clearsitedata]]
==== Clear Site Data
https://www.w3.org/TR/clear-site-data/[Clear Site Data] is a mechanism by which any browser-side data - cookies, local storage, and the like - can be removed when an HTTP response contains this header:
[source]
----
Clear-Site-Data: "cache", "cookies", "storage", "executionContexts"
----
This is a nice clean-up action to perform on logout.
[[headers-clearsitedata-configure]]
===== Configuring Clear Site Data
Spring Security *_doesn't add_* the Clear Site Data header by default.
You can configure your application to send down this header on logout like so:
[source,java]
----
@EnableWebSecurity
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
// ...
.logout()
.addLogoutHandler(new HeaderWriterLogoutHandler(new ClearSiteDataHeaderWriter(CACHE, COOKIES)));
}
}
----
[NOTE]
It's not recommended that you configure this header writer via the `headers()` directive.
The reason for this is that any session state, say the `JSESSIONID` cookie, would be removed, effectively logging the user out.
[[headers-custom]]
=== Custom Headers