Package org.springframework.security.config.annotation.web.configurers

Class LogoutConfigurer<H extends HttpSecurityBuilder<H>>

    • Constructor Detail

    • Method Detail

      • addLogoutHandler

        public LogoutConfigurer<H> addLogoutHandler​(org.springframework.security.web.authentication.logout.LogoutHandler logoutHandler)
        Adds a LogoutHandler. SecurityContextLogoutHandler and LogoutSuccessEventPublishingLogoutHandler are added as last LogoutHandler instances by default.
        Parameters:
        logoutHandler - the LogoutHandler to add
        Returns:
        the LogoutConfigurer for further customization

      • clearAuthentication

        public LogoutConfigurer<H> clearAuthentication​(boolean clearAuthentication)
        Specifies if SecurityContextLogoutHandler should clear the Authentication at the time of logout.
        Parameters:
        clearAuthentication - true SecurityContextLogoutHandler should clear the Authentication (default), or false otherwise.
        Returns:
        the LogoutConfigurer for further customization

      • invalidateHttpSession

        public LogoutConfigurer<H> invalidateHttpSession​(boolean invalidateHttpSession)
        Configures SecurityContextLogoutHandler to invalidate the HttpSession at the time of logout.
        Parameters:
        invalidateHttpSession - true if the HttpSession should be invalidated (default), or false otherwise.
        Returns:
        the LogoutConfigurer for further customization

      • logoutUrl

        public LogoutConfigurer<H> logoutUrl​(java.lang.String logoutUrl)
        The URL that triggers log out to occur (default is "/logout"). If CSRF protection is enabled (default), then the request must also be a POST. This means that by default POST "/logout" is required to trigger a log out. If CSRF protection is disabled, then any HTTP method is allowed.

        It is considered best practice to use an HTTP POST on any action that changes state (i.e. log out) to protect against CSRF attacks. If you really want to use an HTTP GET, you can use logoutRequestMatcher(new AntPathRequestMatcher(logoutUrl, "GET"));

        Parameters:
        logoutUrl - the URL that will invoke logout.
        Returns:
        the LogoutConfigurer for further customization
        See Also:
        logoutRequestMatcher(RequestMatcher), HttpSecurity.csrf()

      • logoutRequestMatcher

        public LogoutConfigurer<H> logoutRequestMatcher​(org.springframework.security.web.util.matcher.RequestMatcher logoutRequestMatcher)
        The RequestMatcher that triggers log out to occur. In most circumstances users will use logoutUrl(String) which helps enforce good practices.
        Parameters:
        logoutRequestMatcher - the RequestMatcher used to determine if logout should occur.
        Returns:
        the LogoutConfigurer for further customization
        See Also:
        logoutUrl(String)

      • logoutSuccessUrl

        public LogoutConfigurer<H> logoutSuccessUrl​(java.lang.String logoutSuccessUrl)
        The URL to redirect to after logout has occurred. The default is "/login?logout". This is a shortcut for invoking logoutSuccessHandler(LogoutSuccessHandler) with a SimpleUrlLogoutSuccessHandler.
        Parameters:
        logoutSuccessUrl - the URL to redirect to after logout occurred
        Returns:
        the LogoutConfigurer for further customization

      • deleteCookies

        public LogoutConfigurer<H> deleteCookies​(java.lang.String... cookieNamesToClear)
        Allows specifying the names of cookies to be removed on logout success. This is a shortcut to easily invoke addLogoutHandler(LogoutHandler) with a CookieClearingLogoutHandler.
        Parameters:
        cookieNamesToClear - the names of cookies to be removed on logout success.
        Returns:
        the LogoutConfigurer for further customization

      • logoutSuccessHandler

        public LogoutConfigurer<H> logoutSuccessHandler​(org.springframework.security.web.authentication.logout.LogoutSuccessHandler logoutSuccessHandler)
        Sets the LogoutSuccessHandler to use. If this is specified, logoutSuccessUrl(String) is ignored.
        Parameters:
        logoutSuccessHandler - the LogoutSuccessHandler to use after a user has been logged out.
        Returns:
        the LogoutConfigurer for further customizations

      • defaultLogoutSuccessHandlerFor

        public LogoutConfigurer<H> defaultLogoutSuccessHandlerFor​(org.springframework.security.web.authentication.logout.LogoutSuccessHandler handler,
                                                          org.springframework.security.web.util.matcher.RequestMatcher preferredMatcher)
        Sets a default LogoutSuccessHandler to be used which prefers being invoked for the provided RequestMatcher. If no LogoutSuccessHandler is specified a SimpleUrlLogoutSuccessHandler will be used. If any default LogoutSuccessHandler instances are configured, then a DelegatingLogoutSuccessHandler will be used that defaults to a SimpleUrlLogoutSuccessHandler.
        Parameters:
        handler - the LogoutSuccessHandler to use
        preferredMatcher - the RequestMatcher for this default LogoutSuccessHandler
        Returns:
        the LogoutConfigurer for further customizations

      • getLogoutSuccessHandler

        public org.springframework.security.web.authentication.logout.LogoutSuccessHandler getLogoutSuccessHandler()
        Gets the LogoutSuccessHandler if not null, otherwise creates a new SimpleUrlLogoutSuccessHandler using the logoutSuccessUrl(String).
        Returns:
        the LogoutSuccessHandler to use

      • getLogoutHandlers

        public java.util.List<org.springframework.security.web.authentication.logout.LogoutHandler> getLogoutHandlers()
        Gets the LogoutHandler instances that will be used.
        Returns:
        the LogoutHandler instances. Cannot be null.