Hans
Reputation: 133
Spring Security WebFlux logout
What is the equivalent way to invalidate session and delete cookies in WebFlux when doing logout similar to
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception
{
http
.httpBasic()
.and()
.logout().clearAuthentication(true)
.logoutSuccessUrl("/")
.deleteCookies("JSESSIONID")
.invalidateHttpSession(true)
.and()
...
Upvotes: 5
Views: 3362
Answers (1)
Tires
Reputation: 1602
Besides that the cookie "SESSION" and the WebSession (session name in WebFlux) are removed by default, you can configure a ServerLogoutSuccessHandler:
.logout()
.logoutSuccessHandler(new ServerLogoutSuccessHandler() {
@Override
public Mono<Void> onLogoutSuccess(WebFilterExchange exchange, Authentication authentication) {
ServerHttpResponse response = exchange.getExchange().getResponse();
response.setStatusCode(HttpStatus.FOUND);
response.getHeaders().setLocation(URI.create("/login.html?logout"));
response.getCookies().remove("JSESSIONID");
return exchange.getExchange().getSession()
.flatMap(WebSession::invalidate);
}
})
Upvotes: 4
Related Questions
- Spring Security WebFlux - body with Authentication
- Spring Webflux disabling login
- Disable webflux security
- Web ignoring using spring-webflux
- How do I logout when using Spring WebFlux and OAuth 2.0 Login?
- AuthenticationManger in Spring security webflux
- How to logout with GET request in SpringBoot WebFlux
- Spring Security 5.1.5 with WebFlux user disable not working
- Spring Security Custom Logout
- Spring security login/ logout issue