For the latest stable version, please use Spring Security 6.2.4!

Logout

Spring Security provides a logout endpoint by default. Once logged in, you can GET /logout to see a default logout confirmation page, or you can POST /logout to initiate logout. This will:

clear the ServerCsrfTokenRepository, ServerSecurityContextRepository, and
redirect back to the login page

Often, you will want to also invalidate the session on logout. To achieve this, you can add the WebSessionServerLogoutHandler to your logout configuration, like so:

Java
Kotlin

@Bean
SecurityWebFilterChain http(ServerHttpSecurity http) throws Exception {
    DelegatingServerLogoutHandler logoutHandler = new DelegatingServerLogoutHandler(
            new WebSessionServerLogoutHandler(), new SecurityContextServerLogoutHandler()
    );

    http
        .authorizeExchange((exchange) -> exchange.anyExchange().authenticated())
        .logout((logout) -> logout.logoutHandler(logoutHandler));

    return http.build();
}

@Bean
fun http(http: ServerHttpSecurity): SecurityWebFilterChain {
    val customLogoutHandler = DelegatingServerLogoutHandler(
        WebSessionServerLogoutHandler(), SecurityContextServerLogoutHandler()
    )

    return http {
        authorizeExchange {
            authorize(anyExchange, authenticated)
        }
        logout {
            logoutHandler = customLogoutHandler
        }
    }
}