This version is still in development and is not considered stable yet. For the latest stable version, please use Spring Security 6.4.0!

Logout

Spring Security provides a logout endpoint by default. Once logged in, you can GET /logout to see a default logout confirmation page, or you can POST /logout to initiate logout. This will:

  • clear the ServerCsrfTokenRepository, ServerSecurityContextRepository, and

  • redirect back to the login page

Often, you will want to also invalidate the session on logout. To achieve this, you can add the WebSessionServerLogoutHandler to your logout configuration, like so:

  • Java

  • Kotlin

@Bean
SecurityWebFilterChain http(ServerHttpSecurity http) throws Exception {
    DelegatingServerLogoutHandler logoutHandler = new DelegatingServerLogoutHandler(
            new SecurityContextServerLogoutHandler(), new WebSessionServerLogoutHandler()
    );

    http
        .authorizeExchange((exchange) -> exchange.anyExchange().authenticated())
        .logout((logout) -> logout.logoutHandler(logoutHandler));

    return http.build();
}
@Bean
fun http(http: ServerHttpSecurity): SecurityWebFilterChain {
    val customLogoutHandler = DelegatingServerLogoutHandler(
        SecurityContextServerLogoutHandler(), WebSessionServerLogoutHandler()
    )

    return http {
        authorizeExchange {
            authorize(anyExchange, authenticated)
        }
        logout {
            logoutHandler = customLogoutHandler
        }
    }
}