This version is still in development and is not considered stable yet. For the latest stable version, please use Spring Security 6.3.3!spring-doc.cn

This version is still in development and is not considered stable yet. For the latest stable version, please use Spring Security 6.3.3!spring-doc.cn

Spring Security provides a logout endpoint by default. Once logged in, you can GET /logout to see a default logout confirmation page, or you can POST /logout to initiate logout. This will:spring-doc.cn

  • clear the ServerCsrfTokenRepository, ServerSecurityContextRepository, andspring-doc.cn

  • redirect back to the login pagespring-doc.cn

Often, you will want to also invalidate the session on logout. To achieve this, you can add the WebSessionServerLogoutHandler to your logout configuration, like so:spring-doc.cn

@Bean
SecurityWebFilterChain http(ServerHttpSecurity http) throws Exception {
    DelegatingServerLogoutHandler logoutHandler = new DelegatingServerLogoutHandler(
            new SecurityContextServerLogoutHandler(), new WebSessionServerLogoutHandler()
    );

    http
        .authorizeExchange((exchange) -> exchange.anyExchange().authenticated())
        .logout((logout) -> logout.logoutHandler(logoutHandler));

    return http.build();
}
@Bean
fun http(http: ServerHttpSecurity): SecurityWebFilterChain {
    val customLogoutHandler = DelegatingServerLogoutHandler(
        SecurityContextServerLogoutHandler(), WebSessionServerLogoutHandler()
    )

    return http {
        authorizeExchange {
            authorize(anyExchange, authenticated)
        }
        logout {
            logoutHandler = customLogoutHandler
        }
    }
}