From 38e87568a6bd0eb46adf0855ffa84660baa9ba6c Mon Sep 17 00:00:00 2001 From: Josh Cummings Date: Fri, 20 Sep 2019 13:02:06 -0600 Subject: [PATCH] Document Clear Site Data Fixes gh-7463 --- .../asciidoc/_includes/reactive/headers.adoc | 40 +++++++++++++++++++ .../_includes/servlet/web/headers.adoc | 38 ++++++++++++++++++ 2 files changed, 78 insertions(+) diff --git a/docs/manual/src/docs/asciidoc/_includes/reactive/headers.adoc b/docs/manual/src/docs/asciidoc/_includes/reactive/headers.adoc index a1a8409e2d..a26b5221ea 100644 --- a/docs/manual/src/docs/asciidoc/_includes/reactive/headers.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/reactive/headers.adoc @@ -486,3 +486,43 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { return http.build(); } ---- + + +[[webflux-headers-clearsitedata]] +== Clear Site Data + +https://www.w3.org/TR/clear-site-data/[Clear Site Data] is a mechanism by which any browser-side data - cookies, local storage, and the like - can be removed when an HTTP response contains this header: + +[source] +---- +Clear-Site-Data: "cache", "cookies", "storage", "executionContexts" +---- + +This is a nice clean-up action to perform on logout. + +[[webflux-headers-clearsitedata-configure]] +=== Configuring Clear Site Data + +Spring Security *_doesn't add_* the Clear Site Data header by default. + +You can configure your application to send down this header on logout like so: + +[source,java] +---- +@Bean +SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { + ServerLogoutHandler securityContext = new SecurityContextServerLogoutHandler(); + ServerLogoutHandler clearSiteData = new HeaderWriterServerLogoutHandler(new ClearSiteDataServerHttpHeadersWriter()); + DelegatingServerLogoutHandler logoutHandler = new DelegatingServerLogoutHandler(securityContext, clearSiteData); + + http + // ... + .logout() + .logoutHandler(logoutHandler); + return http.build(); +} +---- + +[NOTE] +It's not recommended that you configure this header writer via the `headers()` directive. +The reason for this is that any session state, say the `JSESSIONID` cookie, would be removed, effectively logging the user out. diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/web/headers.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/web/headers.adoc index 72cfc6c20e..222e3b57ad 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/web/headers.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/web/headers.adoc @@ -814,6 +814,44 @@ WebSecurityConfigurerAdapter { } ---- +[[headers-clearsitedata]] +==== Clear Site Data + +https://www.w3.org/TR/clear-site-data/[Clear Site Data] is a mechanism by which any browser-side data - cookies, local storage, and the like - can be removed when an HTTP response contains this header: + +[source] +---- +Clear-Site-Data: "cache", "cookies", "storage", "executionContexts" +---- + +This is a nice clean-up action to perform on logout. + +[[headers-clearsitedata-configure]] +===== Configuring Clear Site Data + +Spring Security *_doesn't add_* the Clear Site Data header by default. + +You can configure your application to send down this header on logout like so: + +[source,java] +---- +@EnableWebSecurity +public class WebSecurityConfig extends +WebSecurityConfigurerAdapter { + + @Override + protected void configure(HttpSecurity http) throws Exception { + http + // ... + .logout() + .addLogoutHandler(new HeaderWriterLogoutHandler(new ClearSiteDataHeaderWriter(CACHE, COOKIES))); + } +} +---- + +[NOTE] +It's not recommended that you configure this header writer via the `headers()` directive. +The reason for this is that any session state, say the `JSESSIONID` cookie, would be removed, effectively logging the user out. [[headers-custom]] === Custom Headers