Class LogoutConfigurer<H extends HttpSecurityBuilder<H>>
- java.lang.Object
-
- org.springframework.security.config.annotation.SecurityConfigurerAdapter<DefaultSecurityFilterChain,B>
-
- org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer<LogoutConfigurer<H>,H>
-
- org.springframework.security.config.annotation.web.configurers.LogoutConfigurer<H>
-
- All Implemented Interfaces:
SecurityConfigurer<DefaultSecurityFilterChain,H>
public final class LogoutConfigurer<H extends HttpSecurityBuilder<H>> extends AbstractHttpConfigurer<LogoutConfigurer<H>,H>
Adds logout support. OtherSecurityConfigurer
instances may invokeaddLogoutHandler(LogoutHandler)
in theinit(HttpSecurityBuilder)
phase.Security Filters
The following Filters are populatedShared Objects Created
No shared Objects are createdShared Objects Used
No shared objects are used.- Since:
- 3.2
- See Also:
RememberMeConfigurer
-
-
Constructor Summary
Constructors Constructor Description LogoutConfigurer()
Creates a new instance
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description LogoutConfigurer<H>
addLogoutHandler(LogoutHandler logoutHandler)
Adds aLogoutHandler
.LogoutConfigurer<H>
clearAuthentication(boolean clearAuthentication)
Specifies ifSecurityContextLogoutHandler
should clear theAuthentication
at the time of logout.void
configure(H http)
Configure theSecurityBuilder
by setting the necessary properties on theSecurityBuilder
.LogoutConfigurer<H>
defaultLogoutSuccessHandlerFor(LogoutSuccessHandler handler, RequestMatcher preferredMatcher)
Sets a defaultLogoutSuccessHandler
to be used which prefers being invoked for the providedRequestMatcher
.LogoutConfigurer<H>
deleteCookies(java.lang.String... cookieNamesToClear)
Allows specifying the names of cookies to be removed on logout success.java.util.List<LogoutHandler>
getLogoutHandlers()
Gets theLogoutHandler
instances that will be used.LogoutSuccessHandler
getLogoutSuccessHandler()
Gets theLogoutSuccessHandler
if not null, otherwise creates a newSimpleUrlLogoutSuccessHandler
using thelogoutSuccessUrl(String)
.void
init(H http)
Initialize theSecurityBuilder
.LogoutConfigurer<H>
invalidateHttpSession(boolean invalidateHttpSession)
ConfiguresSecurityContextLogoutHandler
to invalidate theHttpSession
at the time of logout.LogoutConfigurer<H>
logoutRequestMatcher(RequestMatcher logoutRequestMatcher)
The RequestMatcher that triggers log out to occur.LogoutConfigurer<H>
logoutSuccessHandler(LogoutSuccessHandler logoutSuccessHandler)
Sets theLogoutSuccessHandler
to use.LogoutConfigurer<H>
logoutSuccessUrl(java.lang.String logoutSuccessUrl)
The URL to redirect to after logout has occurred.LogoutConfigurer<H>
logoutUrl(java.lang.String logoutUrl)
The URL that triggers log out to occur (default is "/logout").LogoutConfigurer<H>
permitAll()
A shortcut forpermitAll(boolean)
withtrue
as an argument.LogoutConfigurer<H>
permitAll(boolean permitAll)
Grants access to thelogoutSuccessUrl(String)
and thelogoutUrl(String)
for every user.-
Methods inherited from class org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer
disable, withObjectPostProcessor
-
Methods inherited from class org.springframework.security.config.annotation.SecurityConfigurerAdapter
addObjectPostProcessor, and, getBuilder, postProcess, setBuilder
-
-
-
-
Constructor Detail
-
LogoutConfigurer
public LogoutConfigurer()
Creates a new instance- See Also:
HttpSecurity.logout()
-
-
Method Detail
-
addLogoutHandler
public LogoutConfigurer<H> addLogoutHandler(LogoutHandler logoutHandler)
Adds aLogoutHandler
.SecurityContextLogoutHandler
andLogoutSuccessEventPublishingLogoutHandler
are added as lastLogoutHandler
instances by default.- Parameters:
logoutHandler
- theLogoutHandler
to add- Returns:
- the
LogoutConfigurer
for further customization
-
clearAuthentication
public LogoutConfigurer<H> clearAuthentication(boolean clearAuthentication)
Specifies ifSecurityContextLogoutHandler
should clear theAuthentication
at the time of logout.- Parameters:
clearAuthentication
- trueSecurityContextLogoutHandler
should clear theAuthentication
(default), or false otherwise.- Returns:
- the
LogoutConfigurer
for further customization
-
invalidateHttpSession
public LogoutConfigurer<H> invalidateHttpSession(boolean invalidateHttpSession)
ConfiguresSecurityContextLogoutHandler
to invalidate theHttpSession
at the time of logout.- Parameters:
invalidateHttpSession
- true if theHttpSession
should be invalidated (default), or false otherwise.- Returns:
- the
LogoutConfigurer
for further customization
-
logoutUrl
public LogoutConfigurer<H> logoutUrl(java.lang.String logoutUrl)
The URL that triggers log out to occur (default is "/logout"). If CSRF protection is enabled (default), then the request must also be a POST. This means that by default POST "/logout" is required to trigger a log out. If CSRF protection is disabled, then any HTTP method is allowed.It is considered best practice to use an HTTP POST on any action that changes state (i.e. log out) to protect against CSRF attacks. If you really want to use an HTTP GET, you can use
logoutRequestMatcher(new AntPathRequestMatcher(logoutUrl, "GET"));
- Parameters:
logoutUrl
- the URL that will invoke logout.- Returns:
- the
LogoutConfigurer
for further customization - See Also:
logoutRequestMatcher(RequestMatcher)
,HttpSecurity.csrf()
-
logoutRequestMatcher
public LogoutConfigurer<H> logoutRequestMatcher(RequestMatcher logoutRequestMatcher)
The RequestMatcher that triggers log out to occur. In most circumstances users will uselogoutUrl(String)
which helps enforce good practices.- Parameters:
logoutRequestMatcher
- the RequestMatcher used to determine if logout should occur.- Returns:
- the
LogoutConfigurer
for further customization - See Also:
logoutUrl(String)
-
logoutSuccessUrl
public LogoutConfigurer<H> logoutSuccessUrl(java.lang.String logoutSuccessUrl)
The URL to redirect to after logout has occurred. The default is "/login?logout". This is a shortcut for invokinglogoutSuccessHandler(LogoutSuccessHandler)
with aSimpleUrlLogoutSuccessHandler
.- Parameters:
logoutSuccessUrl
- the URL to redirect to after logout occurred- Returns:
- the
LogoutConfigurer
for further customization
-
permitAll
public LogoutConfigurer<H> permitAll()
A shortcut forpermitAll(boolean)
withtrue
as an argument.- Returns:
- the
LogoutConfigurer
for further customizations
-
deleteCookies
public LogoutConfigurer<H> deleteCookies(java.lang.String... cookieNamesToClear)
Allows specifying the names of cookies to be removed on logout success. This is a shortcut to easily invokeaddLogoutHandler(LogoutHandler)
with aCookieClearingLogoutHandler
.- Parameters:
cookieNamesToClear
- the names of cookies to be removed on logout success.- Returns:
- the
LogoutConfigurer
for further customization
-
logoutSuccessHandler
public LogoutConfigurer<H> logoutSuccessHandler(LogoutSuccessHandler logoutSuccessHandler)
Sets theLogoutSuccessHandler
to use. If this is specified,logoutSuccessUrl(String)
is ignored.- Parameters:
logoutSuccessHandler
- theLogoutSuccessHandler
to use after a user has been logged out.- Returns:
- the
LogoutConfigurer
for further customizations
-
defaultLogoutSuccessHandlerFor
public LogoutConfigurer<H> defaultLogoutSuccessHandlerFor(LogoutSuccessHandler handler, RequestMatcher preferredMatcher)
Sets a defaultLogoutSuccessHandler
to be used which prefers being invoked for the providedRequestMatcher
. If noLogoutSuccessHandler
is specified aSimpleUrlLogoutSuccessHandler
will be used. If any defaultLogoutSuccessHandler
instances are configured, then aDelegatingLogoutSuccessHandler
will be used that defaults to aSimpleUrlLogoutSuccessHandler
.- Parameters:
handler
- theLogoutSuccessHandler
to usepreferredMatcher
- theRequestMatcher
for this defaultLogoutSuccessHandler
- Returns:
- the
LogoutConfigurer
for further customizations
-
permitAll
public LogoutConfigurer<H> permitAll(boolean permitAll)
Grants access to thelogoutSuccessUrl(String)
and thelogoutUrl(String)
for every user.- Parameters:
permitAll
- if true grants access, else nothing is done- Returns:
- the
LogoutConfigurer
for further customization.
-
getLogoutSuccessHandler
public LogoutSuccessHandler getLogoutSuccessHandler()
Gets theLogoutSuccessHandler
if not null, otherwise creates a newSimpleUrlLogoutSuccessHandler
using thelogoutSuccessUrl(String)
.- Returns:
- the
LogoutSuccessHandler
to use
-
init
public void init(H http)
Description copied from interface:SecurityConfigurer
Initialize theSecurityBuilder
. Here only shared state should be created and modified, but not properties on theSecurityBuilder
used for building the object. This ensures that theSecurityConfigurer.configure(SecurityBuilder)
method uses the correct shared objects when building. Configurers should be applied here.- Specified by:
init
in interfaceSecurityConfigurer<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>
- Overrides:
init
in classSecurityConfigurerAdapter<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>
-
configure
public void configure(H http) throws java.lang.Exception
Description copied from interface:SecurityConfigurer
Configure theSecurityBuilder
by setting the necessary properties on theSecurityBuilder
.- Specified by:
configure
in interfaceSecurityConfigurer<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>
- Overrides:
configure
in classSecurityConfigurerAdapter<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>
- Throws:
java.lang.Exception
-
getLogoutHandlers
public java.util.List<LogoutHandler> getLogoutHandlers()
Gets theLogoutHandler
instances that will be used.- Returns:
- the
LogoutHandler
instances. Cannot be null.
-
-