Spring Security WebFlux logout

2
votes

What is the equivalent way to invalidate session and delete cookies in WebFlux when doing logout similar to 

public class SecurityConfig extends WebSecurityConfigurerAdapter {



    @Override
    protected void configure(HttpSecurity http) throws Exception
    {
        http
        .httpBasic()
        .and()
        .logout().clearAuthentication(true)
        .logoutSuccessUrl("/")
        .deleteCookies("JSESSIONID")
        .invalidateHttpSession(true)
        .and()
...
1
spring-bootspring-securityspring-webflux

1 Answers

1
votes

Besides that the cookie "SESSION" and the WebSession (session name in WebFlux) are removed by default, you can configure a ServerLogoutSuccessHandler:

    .logout()
        .logoutSuccessHandler(new ServerLogoutSuccessHandler() {
            @Override
            public Mono<Void> onLogoutSuccess(WebFilterExchange exchange, Authentication authentication) {
                ServerHttpResponse response = exchange.getExchange().getResponse();
                response.setStatusCode(HttpStatus.FOUND);
                response.getHeaders().setLocation(URI.create("/login.html?logout"));
                response.getCookies().remove("JSESSIONID");
                return exchange.getExchange().getSession()
                    .flatMap(WebSession::invalidate);
            }
        })