Class LogoutConfigurer<H extends HttpSecurityBuilder<H>>
java.lang.Object
org.springframework.security.config.annotation.SecurityConfigurerAdapter<DefaultSecurityFilterChain,B>
org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer<LogoutConfigurer<H>,H>
org.springframework.security.config.annotation.web.configurers.LogoutConfigurer<H>
- All Implemented Interfaces:
SecurityConfigurer<DefaultSecurityFilterChain,
H>
public final class LogoutConfigurer<H extends HttpSecurityBuilder<H>>
extends AbstractHttpConfigurer<LogoutConfigurer<H>,H>
Adds logout support. Other
SecurityConfigurer
instances may invoke
addLogoutHandler(LogoutHandler)
in the init(HttpSecurityBuilder)
phase.
Security Filters
The following Filters are populatedShared Objects Created
No shared Objects are createdShared Objects Used
No shared objects are used.- Since:
- 3.2
- See Also:
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionaddLogoutHandler
(LogoutHandler logoutHandler) Adds aLogoutHandler
.clearAuthentication
(boolean clearAuthentication) Specifies ifSecurityContextLogoutHandler
should clear theAuthentication
at the time of logout.void
Configure theSecurityBuilder
by setting the necessary properties on theSecurityBuilder
.defaultLogoutSuccessHandlerFor
(LogoutSuccessHandler handler, RequestMatcher preferredMatcher) Sets a defaultLogoutSuccessHandler
to be used which prefers being invoked for the providedRequestMatcher
.deleteCookies
(String... cookieNamesToClear) Allows specifying the names of cookies to be removed on logout success.Gets theLogoutHandler
instances that will be used.Gets theLogoutSuccessHandler
if not null, otherwise creates a newSimpleUrlLogoutSuccessHandler
using thelogoutSuccessUrl(String)
.void
Initialize theSecurityBuilder
.invalidateHttpSession
(boolean invalidateHttpSession) ConfiguresSecurityContextLogoutHandler
to invalidate theHttpSession
at the time of logout.logoutRequestMatcher
(RequestMatcher logoutRequestMatcher) The RequestMatcher that triggers log out to occur.logoutSuccessHandler
(LogoutSuccessHandler logoutSuccessHandler) Sets theLogoutSuccessHandler
to use.logoutSuccessUrl
(String logoutSuccessUrl) The URL to redirect to after logout has occurred.The URL that triggers log out to occur (default is "/logout").A shortcut forpermitAll(boolean)
withtrue
as an argument.permitAll
(boolean permitAll) Grants access to thelogoutSuccessUrl(String)
and thelogoutUrl(String)
for every user.Methods inherited from class org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer
disable, getSecurityContextHolderStrategy, withObjectPostProcessor
Methods inherited from class org.springframework.security.config.annotation.SecurityConfigurerAdapter
addObjectPostProcessor, and, getBuilder, postProcess, setBuilder
-
Constructor Details
-
LogoutConfigurer
public LogoutConfigurer()Creates a new instance- See Also:
-
-
Method Details
-
addLogoutHandler
Adds aLogoutHandler
.SecurityContextLogoutHandler
andLogoutSuccessEventPublishingLogoutHandler
are added as lastLogoutHandler
instances by default.- Parameters:
logoutHandler
- theLogoutHandler
to add- Returns:
- the
LogoutConfigurer
for further customization
-
clearAuthentication
Specifies ifSecurityContextLogoutHandler
should clear theAuthentication
at the time of logout.- Parameters:
clearAuthentication
- trueSecurityContextLogoutHandler
should clear theAuthentication
(default), or false otherwise.- Returns:
- the
LogoutConfigurer
for further customization
-
invalidateHttpSession
ConfiguresSecurityContextLogoutHandler
to invalidate theHttpSession
at the time of logout.- Parameters:
invalidateHttpSession
- true if theHttpSession
should be invalidated (default), or false otherwise.- Returns:
- the
LogoutConfigurer
for further customization
-
logoutUrl
The URL that triggers log out to occur (default is "/logout"). If CSRF protection is enabled (default), then the request must also be a POST. This means that by default POST "/logout" is required to trigger a log out. If CSRF protection is disabled, then any HTTP method is allowed.It is considered best practice to use an HTTP POST on any action that changes state (i.e. log out) to protect against CSRF attacks. If you really want to use an HTTP GET, you can use
logoutRequestMatcher(new AntPathRequestMatcher(logoutUrl, "GET"));
- Parameters:
logoutUrl
- the URL that will invoke logout.- Returns:
- the
LogoutConfigurer
for further customization - See Also:
-
logoutRequestMatcher
The RequestMatcher that triggers log out to occur. In most circumstances users will uselogoutUrl(String)
which helps enforce good practices.- Parameters:
logoutRequestMatcher
- the RequestMatcher used to determine if logout should occur.- Returns:
- the
LogoutConfigurer
for further customization - See Also:
-
logoutSuccessUrl
The URL to redirect to after logout has occurred. The default is "/login?logout". This is a shortcut for invokinglogoutSuccessHandler(LogoutSuccessHandler)
with aSimpleUrlLogoutSuccessHandler
.- Parameters:
logoutSuccessUrl
- the URL to redirect to after logout occurred- Returns:
- the
LogoutConfigurer
for further customization
-
permitAll
A shortcut forpermitAll(boolean)
withtrue
as an argument.- Returns:
- the
LogoutConfigurer
for further customizations
-
deleteCookies
Allows specifying the names of cookies to be removed on logout success. This is a shortcut to easily invokeaddLogoutHandler(LogoutHandler)
with aCookieClearingLogoutHandler
.- Parameters:
cookieNamesToClear
- the names of cookies to be removed on logout success.- Returns:
- the
LogoutConfigurer
for further customization
-
logoutSuccessHandler
Sets theLogoutSuccessHandler
to use. If this is specified,logoutSuccessUrl(String)
is ignored.- Parameters:
logoutSuccessHandler
- theLogoutSuccessHandler
to use after a user has been logged out.- Returns:
- the
LogoutConfigurer
for further customizations
-
defaultLogoutSuccessHandlerFor
public LogoutConfigurer<H> defaultLogoutSuccessHandlerFor(LogoutSuccessHandler handler, RequestMatcher preferredMatcher) Sets a defaultLogoutSuccessHandler
to be used which prefers being invoked for the providedRequestMatcher
. If noLogoutSuccessHandler
is specified aSimpleUrlLogoutSuccessHandler
will be used. If any defaultLogoutSuccessHandler
instances are configured, then aDelegatingLogoutSuccessHandler
will be used that defaults to aSimpleUrlLogoutSuccessHandler
.- Parameters:
handler
- theLogoutSuccessHandler
to usepreferredMatcher
- theRequestMatcher
for this defaultLogoutSuccessHandler
- Returns:
- the
LogoutConfigurer
for further customizations
-
permitAll
Grants access to thelogoutSuccessUrl(String)
and thelogoutUrl(String)
for every user.- Parameters:
permitAll
- if true grants access, else nothing is done- Returns:
- the
LogoutConfigurer
for further customization.
-
getLogoutSuccessHandler
Gets theLogoutSuccessHandler
if not null, otherwise creates a newSimpleUrlLogoutSuccessHandler
using thelogoutSuccessUrl(String)
.- Returns:
- the
LogoutSuccessHandler
to use
-
init
Description copied from interface:SecurityConfigurer
Initialize theSecurityBuilder
. Here only shared state should be created and modified, but not properties on theSecurityBuilder
used for building the object. This ensures that theSecurityConfigurer.configure(SecurityBuilder)
method uses the correct shared objects when building. Configurers should be applied here.- Specified by:
init
in interfaceSecurityConfigurer<DefaultSecurityFilterChain,
H extends HttpSecurityBuilder<H>> - Overrides:
init
in classSecurityConfigurerAdapter<DefaultSecurityFilterChain,
H extends HttpSecurityBuilder<H>>
-
configure
Description copied from interface:SecurityConfigurer
Configure theSecurityBuilder
by setting the necessary properties on theSecurityBuilder
.- Specified by:
configure
in interfaceSecurityConfigurer<DefaultSecurityFilterChain,
H extends HttpSecurityBuilder<H>> - Overrides:
configure
in classSecurityConfigurerAdapter<DefaultSecurityFilterChain,
H extends HttpSecurityBuilder<H>> - Throws:
Exception
-
getLogoutHandlers
Gets theLogoutHandler
instances that will be used.- Returns:
- the
LogoutHandler
instances. Cannot be null.
-