Package org.springframework.security.config.annotation.web.configurers

Class LogoutConfigurer<H extends HttpSecurityBuilder<H>>

java.lang.Object

org.springframework.security.config.annotation.SecurityConfigurerAdapter<DefaultSecurityFilterChain,B>

org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer<LogoutConfigurer<H>,H>

org.springframework.security.config.annotation.web.configurers.LogoutConfigurer<H>

All Implemented Interfaces:

SecurityConfigurer<DefaultSecurityFilterChain,H>

public final class LogoutConfigurer<H extends HttpSecurityBuilder<H>>
extends AbstractHttpConfigurer<LogoutConfigurer<H>,H>

Adds logout support. Other SecurityConfigurer instances may invoke addLogoutHandler(LogoutHandler) in the SecurityConfigurer.init(org.springframework.security.config.annotation.SecurityBuilder) phase.

Security Filters

The following Filters are populated

• LogoutFilter

Shared Objects Created

No shared Objects are created

Shared Objects Used

No shared objects are used.

Since:

3.2

See Also:

• RememberMeConfigurer

Constructor Summary

Constructors

Constructor	Description
LogoutConfigurer()	Creates a new instance

Method Summary

Modifier and Type	Method	Description
LogoutConfigurer<H>	addLogoutHandler(LogoutHandler logoutHandler)	Adds a LogoutHandler.
LogoutConfigurer<H>	clearAuthentication(boolean clearAuthentication)	Specifies if SecurityContextLogoutHandler should clear the Authentication at the time of logout.
void	configure(H http)	Configure the SecurityBuilder by setting the necessary properties on the SecurityBuilder.
LogoutConfigurer<H>	defaultLogoutSuccessHandlerFor(LogoutSuccessHandler handler, RequestMatcher preferredMatcher)	Sets a default LogoutSuccessHandler to be used which prefers being invoked for the provided RequestMatcher.
LogoutConfigurer<H>	deleteCookies(String... cookieNamesToClear)	Allows specifying the names of cookies to be removed on logout success.
List<LogoutHandler>	getLogoutHandlers()	Gets the LogoutHandler instances that will be used.
LogoutSuccessHandler	getLogoutSuccessHandler()	Gets the LogoutSuccessHandler if not null, otherwise creates a new SimpleUrlLogoutSuccessHandler using the logoutSuccessUrl(String).
void	init(H http)	Initialize the SecurityBuilder.
LogoutConfigurer<H>	invalidateHttpSession(boolean invalidateHttpSession)	Configures SecurityContextLogoutHandler to invalidate the HttpSession at the time of logout.
LogoutConfigurer<H>	logoutRequestMatcher(RequestMatcher logoutRequestMatcher)	The RequestMatcher that triggers log out to occur.
LogoutConfigurer<H>	logoutSuccessHandler(LogoutSuccessHandler logoutSuccessHandler)	Sets the LogoutSuccessHandler to use.
LogoutConfigurer<H>	logoutSuccessUrl(String logoutSuccessUrl)	The URL to redirect to after logout has occurred.
LogoutConfigurer<H>	logoutUrl(String logoutUrl)	The URL that triggers log out to occur (default is "/logout").
LogoutConfigurer<H>	permitAll()	A shortcut for permitAll(boolean) with true as an argument.
LogoutConfigurer<H>	permitAll(boolean permitAll)	Grants access to the logoutSuccessUrl(String) and the logoutUrl(String) for every user.

Methods inherited from class org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer

disable, getRequestMatcherBuilder, getSecurityContextHolderStrategy, withObjectPostProcessor

Methods inherited from class org.springframework.security.config.annotation.SecurityConfigurerAdapter

addObjectPostProcessor, getBuilder, postProcess, setBuilder

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

LogoutConfigurer

public LogoutConfigurer()

Creates a new instance

See Also:

• HttpSecurity.logout(Customizer)

Method Details

addLogoutHandler

public LogoutConfigurer<H> addLogoutHandler(LogoutHandler logoutHandler)

Adds a LogoutHandler. SecurityContextLogoutHandler and LogoutSuccessEventPublishingLogoutHandler are added as last LogoutHandler instances by default.

Parameters:

logoutHandler - the LogoutHandler to add

Returns:

the LogoutConfigurer for further customization

clearAuthentication

public LogoutConfigurer<H> clearAuthentication(boolean clearAuthentication)

Specifies if SecurityContextLogoutHandler should clear the Authentication at the time of logout.

Parameters:

clearAuthentication - true SecurityContextLogoutHandler should clear the Authentication (default), or false otherwise.

Returns:

the LogoutConfigurer for further customization

invalidateHttpSession

public LogoutConfigurer<H> invalidateHttpSession(boolean invalidateHttpSession)

Configures SecurityContextLogoutHandler to invalidate the HttpSession at the time of logout.

Parameters:

invalidateHttpSession - true if the HttpSession should be invalidated (default), or false otherwise.

Returns:

the LogoutConfigurer for further customization

logoutUrl

public LogoutConfigurer<H> logoutUrl(String logoutUrl)

The URL that triggers log out to occur (default is "/logout"). If CSRF protection is enabled (default), then the request must also be a POST. This means that by default POST "/logout" is required to trigger a log out. If CSRF protection is disabled, then any HTTP method is allowed.

It is considered best practice to use an HTTP POST on any action that changes state (i.e. log out) to protect against CSRF attacks. If you really want to use an HTTP GET, you can use logoutRequestMatcher(PathPatternRequestMatcher.pathPattern(HttpMethod.GEt, logoutUrl));

Parameters:

logoutUrl - the URL that will invoke logout.

Returns:

the LogoutConfigurer for further customization

See Also:

• logoutRequestMatcher(RequestMatcher)
• HttpSecurity.csrf(Customizer)

logoutRequestMatcher

public LogoutConfigurer<H> logoutRequestMatcher(RequestMatcher logoutRequestMatcher)

The RequestMatcher that triggers log out to occur. In most circumstances users will use logoutUrl(String) which helps enforce good practices.

Parameters:

logoutRequestMatcher - the RequestMatcher used to determine if logout should occur.

Returns:

the LogoutConfigurer for further customization

See Also:

• logoutUrl(String)

logoutSuccessUrl

public LogoutConfigurer<H> logoutSuccessUrl(String logoutSuccessUrl)

The URL to redirect to after logout has occurred. The default is "/login?logout". This is a shortcut for invoking logoutSuccessHandler(LogoutSuccessHandler) with a SimpleUrlLogoutSuccessHandler.

Parameters:

logoutSuccessUrl - the URL to redirect to after logout occurred

Returns:

the LogoutConfigurer for further customization

permitAll

public LogoutConfigurer<H> permitAll()

A shortcut for permitAll(boolean) with true as an argument.

Returns:

the LogoutConfigurer for further customizations

deleteCookies

public LogoutConfigurer<H> deleteCookies(String... cookieNamesToClear)

Allows specifying the names of cookies to be removed on logout success. This is a shortcut to easily invoke addLogoutHandler(LogoutHandler) with a CookieClearingLogoutHandler.

Parameters:

cookieNamesToClear - the names of cookies to be removed on logout success.

Returns:

the LogoutConfigurer for further customization

logoutSuccessHandler

public LogoutConfigurer<H> logoutSuccessHandler(LogoutSuccessHandler logoutSuccessHandler)

Sets the LogoutSuccessHandler to use. If this is specified, logoutSuccessUrl(String) is ignored.

Parameters:

logoutSuccessHandler - the LogoutSuccessHandler to use after a user has been logged out.

Returns:

the LogoutConfigurer for further customizations

defaultLogoutSuccessHandlerFor

public LogoutConfigurer<H> defaultLogoutSuccessHandlerFor(LogoutSuccessHandler handler,
 RequestMatcher preferredMatcher)

Sets a default LogoutSuccessHandler to be used which prefers being invoked for the provided RequestMatcher. If no LogoutSuccessHandler is specified a SimpleUrlLogoutSuccessHandler will be used. If any default LogoutSuccessHandler instances are configured, then a DelegatingLogoutSuccessHandler will be used that defaults to a SimpleUrlLogoutSuccessHandler.

Parameters:

handler - the LogoutSuccessHandler to use

preferredMatcher - the RequestMatcher for this default LogoutSuccessHandler

Returns:

the LogoutConfigurer for further customizations

permitAll

public LogoutConfigurer<H> permitAll(boolean permitAll)

Grants access to the logoutSuccessUrl(String) and the logoutUrl(String) for every user.

Parameters:

permitAll - if true grants access, else nothing is done

Returns:

the LogoutConfigurer for further customization.

getLogoutSuccessHandler

public LogoutSuccessHandler getLogoutSuccessHandler()

Gets the LogoutSuccessHandler if not null, otherwise creates a new SimpleUrlLogoutSuccessHandler using the logoutSuccessUrl(String).

Returns:

the LogoutSuccessHandler to use

init

public void init(H http)

Description copied from interface: SecurityConfigurer

Initialize the SecurityBuilder. Here only shared state should be created and modified, but not properties on the SecurityBuilder used for building the object. This ensures that the SecurityConfigurer.configure(SecurityBuilder) method uses the correct shared objects when building. Configurers should be applied here.

Specified by:

init in interface SecurityConfigurer<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>

Overrides:

init in class SecurityConfigurerAdapter<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>

configure

public void configure(H http)

Description copied from interface: SecurityConfigurer

Configure the SecurityBuilder by setting the necessary properties on the SecurityBuilder.

Specified by:

configure in interface SecurityConfigurer<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>

Overrides:

configure in class SecurityConfigurerAdapter<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>

getLogoutHandlers

public List<LogoutHandler> getLogoutHandlers()

Gets the LogoutHandler instances that will be used.

Returns:

the LogoutHandler instances. Cannot be null.