From aed203f3673c24d61eb5d024cf43ed40f24a7f90 Mon Sep 17 00:00:00 2001 From: Josh Cummings Date: Mon, 16 Aug 2021 13:09:42 -0600 Subject: [PATCH] Docs for WebSessionServerLogoutHandler Issue gh-4838 --- .../asciidoc/_includes/reactive/index.adoc | 2 ++ .../asciidoc/_includes/reactive/logout.adoc | 28 +++++++++++++++++++ 2 files changed, 30 insertions(+) create mode 100644 docs/manual/src/docs/asciidoc/_includes/reactive/logout.adoc diff --git a/docs/manual/src/docs/asciidoc/_includes/reactive/index.adoc b/docs/manual/src/docs/asciidoc/_includes/reactive/index.adoc index f675c7b873..497e239786 100644 --- a/docs/manual/src/docs/asciidoc/_includes/reactive/index.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/reactive/index.adoc @@ -10,6 +10,8 @@ include::registered-oauth2-authorized-client.adoc[leveloffset=+1] include::x509.adoc[leveloffset=+1] +include::logout.adoc[leveloffset=+1] + include::webclient.adoc[leveloffset=+1] include::method.adoc[leveloffset=+1] diff --git a/docs/manual/src/docs/asciidoc/_includes/reactive/logout.adoc b/docs/manual/src/docs/asciidoc/_includes/reactive/logout.adoc new file mode 100644 index 0000000000..0d4137d108 --- /dev/null +++ b/docs/manual/src/docs/asciidoc/_includes/reactive/logout.adoc @@ -0,0 +1,28 @@ +[[reactive-logout]] += Logout + +Spring Security provides a logout endpoint by default. +Once logged in, you can `GET /logout` to see a default logout confirmation page, or you can `POST /logout` to initiate logout. +This will: + +- clear the `ServerCsrfTokenRepository`, `ServerSecurityContextRepository`, and +- redirect back to the login page + +Often, you will want to also invalidate the session on logout. +To achieve this, you can add the `WebSessionServerLogoutHandler` to your logout configuration, like so: + +[source,java] +---- +@Bean +SecurityWebFilterChain http(ServerHttpSecurity http) throws Exception { + DelegatingServerLogoutHandler logoutHandler = new DelegatingServerLogoutHandler( + new WebSessionServerLogoutHandler(), new SecurityContextServerLogoutHandler() + ); + + http + .authorizeExchange((exchange) -> exchange.anyExchange().authenticated()) + .logout((logout) -> logout.logoutHandler(logoutHandler)); + + return http.build(); +} +----