public final class LogoutConfigurer<H extends HttpSecurityBuilder<H>> extends SecurityConfigurerAdapter<DefaultSecurityFilterChain,B>
SecurityConfigurer
instances may invoke
addLogoutHandler(LogoutHandler)
in the
#init(HttpSecurity)
phase.
RememberMeConfigurer
Constructor and Description |
---|
LogoutConfigurer()
Creates a new instance
|
Modifier and Type | Method and Description |
---|---|
LogoutConfigurer<H> |
addLogoutHandler(LogoutHandler logoutHandler)
Adds a
LogoutHandler . |
void |
configure(H http)
Configure the
SecurityBuilder by setting the necessary properties
on the SecurityBuilder . |
LogoutConfigurer<H> |
deleteCookies(String... cookieNamesToClear)
Allows specifying the names of cookies to be removed on logout success.
|
B |
disable()
Disables the
AbstractHttpConfigurer by removing it. |
void |
init(H http)
Initialize the
SecurityBuilder . |
LogoutConfigurer<H> |
invalidateHttpSession(boolean invalidateHttpSession)
Configures
SecurityContextLogoutHandler to invalidate the HttpSession at the time of logout. |
LogoutConfigurer<H> |
logoutRequestMatcher(RequestMatcher logoutRequestMatcher)
The RequestMatcher that triggers log out to occur.
|
LogoutConfigurer<H> |
logoutSuccessHandler(LogoutSuccessHandler logoutSuccessHandler)
Sets the
LogoutSuccessHandler to use. |
LogoutConfigurer<H> |
logoutSuccessUrl(String logoutSuccessUrl)
The URL to redirect to after logout has occurred.
|
LogoutConfigurer<H> |
logoutUrl(String logoutUrl)
The URL that triggers log out to occur (default is "/logout").
|
LogoutConfigurer<H> |
permitAll()
A shortcut for
permitAll(boolean) with true as an argument. |
LogoutConfigurer<H> |
permitAll(boolean permitAll)
Grants access to the
logoutSuccessUrl(String) and the logoutUrl(String) for every user. |
T |
withObjectPostProcessor(ObjectPostProcessor<?> objectPostProcessor) |
addObjectPostProcessor, and, getBuilder, postProcess, setBuilder
public LogoutConfigurer()
HttpSecurity.logout()
public LogoutConfigurer<H> addLogoutHandler(LogoutHandler logoutHandler)
LogoutHandler
. The SecurityContextLogoutHandler
is
added as the last LogoutHandler
by default.logoutHandler
- the LogoutHandler
to addLogoutConfigurer
for further customizationpublic LogoutConfigurer<H> invalidateHttpSession(boolean invalidateHttpSession)
SecurityContextLogoutHandler
to invalidate the HttpSession
at the time of logout.invalidateHttpSession
- true if the HttpSession
should be invalidated (default), or false otherwise.LogoutConfigurer
for further customizationpublic LogoutConfigurer<H> logoutUrl(String logoutUrl)
It is considered best practice to use an HTTP POST on any action that
changes state (i.e. log out) to protect against CSRF
attacks. If you really want to use an HTTP GET, you can use
logoutRequestMatcher(new AntPathRequestMatcher(logoutUrl, "GET"));
logoutUrl
- the URL that will invoke logout.LogoutConfigurer
for further customizationlogoutRequestMatcher(RequestMatcher)
,
HttpSecurity.csrf()
public LogoutConfigurer<H> logoutRequestMatcher(RequestMatcher logoutRequestMatcher)
logoutUrl(String)
which helps enforce good
practices.logoutRequestMatcher
- the RequestMatcher used to determine if logout should occur.LogoutConfigurer
for further customizationlogoutUrl(String)
public LogoutConfigurer<H> logoutSuccessUrl(String logoutSuccessUrl)
logoutSuccessHandler(LogoutSuccessHandler)
with a
SimpleUrlLogoutSuccessHandler
.logoutSuccessUrl
- the URL to redirect to after logout occurredLogoutConfigurer
for further customizationpublic LogoutConfigurer<H> permitAll()
permitAll(boolean)
with true
as an argument.LogoutConfigurer
for further customizationspublic LogoutConfigurer<H> deleteCookies(String... cookieNamesToClear)
addLogoutHandler(LogoutHandler)
with a
CookieClearingLogoutHandler
.cookieNamesToClear
- the names of cookies to be removed on logout success.LogoutConfigurer
for further customizationpublic LogoutConfigurer<H> logoutSuccessHandler(LogoutSuccessHandler logoutSuccessHandler)
LogoutSuccessHandler
to use. If this is specified,
logoutSuccessUrl(String)
is ignored.logoutSuccessHandler
- the LogoutSuccessHandler
to use after a user has been
logged out.LogoutConfigurer
for further customizationspublic LogoutConfigurer<H> permitAll(boolean permitAll)
logoutSuccessUrl(String)
and the logoutUrl(String)
for every user.permitAll
- if true grants access, else nothing is doneLogoutConfigurer
for further customization.public void init(H http) throws Exception
SecurityConfigurer
SecurityBuilder
. Here only shared state should be
created and modified, but not properties on the SecurityBuilder
used for building the object. This ensures that the
SecurityConfigurer.configure(SecurityBuilder)
method uses the correct shared
objects when building.init
in interface SecurityConfigurer<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>
init
in class SecurityConfigurerAdapter<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>
Exception
public void configure(H http) throws Exception
SecurityConfigurer
SecurityBuilder
by setting the necessary properties
on the SecurityBuilder
.configure
in interface SecurityConfigurer<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>
configure
in class SecurityConfigurerAdapter<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>
Exception
public B disable()
AbstractHttpConfigurer
by removing it. After doing
so a fresh version of the configuration can be applied.HttpSecurityBuilder
for additional customizationspublic T withObjectPostProcessor(ObjectPostProcessor<?> objectPostProcessor)