Package org.springframework.security.config.annotation.web.configurers

Class LogoutConfigurer<H extends HttpSecurityBuilder<H>>

java.lang.Object
org.springframework.security.config.annotation.SecurityConfigurerAdapter<org.springframework.security.web.DefaultSecurityFilterChain,B>
org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer<LogoutConfigurer<H>,H>
org.springframework.security.config.annotation.web.configurers.LogoutConfigurer<H>
All Implemented Interfaces:
SecurityConfigurer<org.springframework.security.web.DefaultSecurityFilterChain,H>
public final class LogoutConfigurer<H extends HttpSecurityBuilder<H>> extends AbstractHttpConfigurer<LogoutConfigurer<H>,H>
Adds logout support. Other SecurityConfigurer instances may invoke addLogoutHandler(LogoutHandler) in the init(HttpSecurityBuilder) phase.

Security Filters

The following Filters are populated
  • LogoutFilter

Shared Objects Created

No shared Objects are created

Shared Objects Used

No shared objects are used.
Since:
3.2
See Also:

  • Constructor Details

  • Method Details

    • addLogoutHandler

      public LogoutConfigurer<H> addLogoutHandler(org.springframework.security.web.authentication.logout.LogoutHandler logoutHandler)
      Adds a LogoutHandler. SecurityContextLogoutHandler and LogoutSuccessEventPublishingLogoutHandler are added as last LogoutHandler instances by default.
      Parameters:
      logoutHandler - the LogoutHandler to add
      Returns:
      the LogoutConfigurer for further customization

    • clearAuthentication

      public LogoutConfigurer<H> clearAuthentication(boolean clearAuthentication)
      Specifies if SecurityContextLogoutHandler should clear the Authentication at the time of logout.
      Parameters:
      clearAuthentication - true SecurityContextLogoutHandler should clear the Authentication (default), or false otherwise.
      Returns:
      the LogoutConfigurer for further customization

    • invalidateHttpSession

      public LogoutConfigurer<H> invalidateHttpSession(boolean invalidateHttpSession)
      Configures SecurityContextLogoutHandler to invalidate the HttpSession at the time of logout.
      Parameters:
      invalidateHttpSession - true if the HttpSession should be invalidated (default), or false otherwise.
      Returns:
      the LogoutConfigurer for further customization

    • logoutUrl

      public LogoutConfigurer<H> logoutUrl(String logoutUrl)
      The URL that triggers log out to occur (default is "/logout"). If CSRF protection is enabled (default), then the request must also be a POST. This means that by default POST "/logout" is required to trigger a log out. If CSRF protection is disabled, then any HTTP method is allowed.

      It is considered best practice to use an HTTP POST on any action that changes state (i.e. log out) to protect against CSRF attacks. If you really want to use an HTTP GET, you can use logoutRequestMatcher(new AntPathRequestMatcher(logoutUrl, "GET"));

      Parameters:
      logoutUrl - the URL that will invoke logout.
      Returns:
      the LogoutConfigurer for further customization
      See Also:

    • logoutRequestMatcher

      public LogoutConfigurer<H> logoutRequestMatcher(org.springframework.security.web.util.matcher.RequestMatcher logoutRequestMatcher)
      The RequestMatcher that triggers log out to occur. In most circumstances users will use logoutUrl(String) which helps enforce good practices.
      Parameters:
      logoutRequestMatcher - the RequestMatcher used to determine if logout should occur.
      Returns:
      the LogoutConfigurer for further customization
      See Also:

    • logoutSuccessUrl

      public LogoutConfigurer<H> logoutSuccessUrl(String logoutSuccessUrl)
      The URL to redirect to after logout has occurred. The default is "/login?logout". This is a shortcut for invoking logoutSuccessHandler(LogoutSuccessHandler) with a SimpleUrlLogoutSuccessHandler.
      Parameters:
      logoutSuccessUrl - the URL to redirect to after logout occurred
      Returns:
      the LogoutConfigurer for further customization

    • permitAll

      public LogoutConfigurer<H> permitAll()
      A shortcut for permitAll(boolean) with true as an argument.
      Returns:
      the LogoutConfigurer for further customizations

    • deleteCookies

      public LogoutConfigurer<H> deleteCookies(String... cookieNamesToClear)
      Allows specifying the names of cookies to be removed on logout success. This is a shortcut to easily invoke addLogoutHandler(LogoutHandler) with a CookieClearingLogoutHandler.
      Parameters:
      cookieNamesToClear - the names of cookies to be removed on logout success.
      Returns:
      the LogoutConfigurer for further customization

    • logoutSuccessHandler

      public LogoutConfigurer<H> logoutSuccessHandler(org.springframework.security.web.authentication.logout.LogoutSuccessHandler logoutSuccessHandler)
      Sets the LogoutSuccessHandler to use. If this is specified, logoutSuccessUrl(String) is ignored.
      Parameters:
      logoutSuccessHandler - the LogoutSuccessHandler to use after a user has been logged out.
      Returns:
      the LogoutConfigurer for further customizations

    • defaultLogoutSuccessHandlerFor

      public LogoutConfigurer<H> defaultLogoutSuccessHandlerFor(org.springframework.security.web.authentication.logout.LogoutSuccessHandler handler, org.springframework.security.web.util.matcher.RequestMatcher preferredMatcher)
      Sets a default LogoutSuccessHandler to be used which prefers being invoked for the provided RequestMatcher. If no LogoutSuccessHandler is specified a SimpleUrlLogoutSuccessHandler will be used. If any default LogoutSuccessHandler instances are configured, then a DelegatingLogoutSuccessHandler will be used that defaults to a SimpleUrlLogoutSuccessHandler.
      Parameters:
      handler - the LogoutSuccessHandler to use
      preferredMatcher - the RequestMatcher for this default LogoutSuccessHandler
      Returns:
      the LogoutConfigurer for further customizations

    • permitAll

      public LogoutConfigurer<H> permitAll(boolean permitAll)
      Grants access to the logoutSuccessUrl(String) and the logoutUrl(String) for every user.
      Parameters:
      permitAll - if true grants access, else nothing is done
      Returns:
      the LogoutConfigurer for further customization.

    • getLogoutSuccessHandler

      public org.springframework.security.web.authentication.logout.LogoutSuccessHandler getLogoutSuccessHandler()
      Gets the LogoutSuccessHandler if not null, otherwise creates a new SimpleUrlLogoutSuccessHandler using the logoutSuccessUrl(String).
      Returns:
      the LogoutSuccessHandler to use

    • init

      public void init(H http)
      Description copied from interface: SecurityConfigurer
      Initialize the SecurityBuilder. Here only shared state should be created and modified, but not properties on the SecurityBuilder used for building the object. This ensures that the SecurityConfigurer.configure(SecurityBuilder) method uses the correct shared objects when building. Configurers should be applied here.
      Specified by:
      init in interface SecurityConfigurer<org.springframework.security.web.DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>
      Overrides:
      init in class SecurityConfigurerAdapter<org.springframework.security.web.DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>

    • configure

      public void configure(H http) throws Exception
      Description copied from interface: SecurityConfigurer
      Configure the SecurityBuilder by setting the necessary properties on the SecurityBuilder.
      Specified by:
      configure in interface SecurityConfigurer<org.springframework.security.web.DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>
      Overrides:
      configure in class SecurityConfigurerAdapter<org.springframework.security.web.DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>
      Throws:
      Exception

    • getLogoutHandlers

      public List<org.springframework.security.web.authentication.logout.LogoutHandler> getLogoutHandlers()
      Gets the LogoutHandler instances that will be used.
      Returns:
      the LogoutHandler instances. Cannot be null.