Docs for WebSessionServerLogoutHandler

jzheaux · jzheaux · commit aed203f3673c · 2021-08-16T13:09:42.000-06:00
Issue gh-4838
diff --git a/docs/manual/src/docs/asciidoc/_includes/reactive/index.adoc b/docs/manual/src/docs/asciidoc/_includes/reactive/index.adoc
@@ -10,6 +10,8 @@ include::registered-oauth2-authorized-client.adoc[leveloffset=+1]
 
 include::x509.adoc[leveloffset=+1]
 
+include::logout.adoc[leveloffset=+1]
+
 include::webclient.adoc[leveloffset=+1]
 
 include::method.adoc[leveloffset=+1]
diff --git a/docs/manual/src/docs/asciidoc/_includes/reactive/logout.adoc b/docs/manual/src/docs/asciidoc/_includes/reactive/logout.adoc
@@ -0,0 +1,28 @@
+[[reactive-logout]]
+= Logout
+
+Spring Security provides a logout endpoint by default.
+Once logged in, you can `GET /logout` to see a default logout confirmation page, or you can `POST /logout` to initiate logout.
+This will:
+
+- clear the `ServerCsrfTokenRepository`, `ServerSecurityContextRepository`, and
+- redirect back to the login page
+
+Often, you will want to also invalidate the session on logout.
+To achieve this, you can add the `WebSessionServerLogoutHandler` to your logout configuration, like so:
+
+[source,java]
+----
+@Bean
+SecurityWebFilterChain http(ServerHttpSecurity http) throws Exception {
+    DelegatingServerLogoutHandler logoutHandler = new DelegatingServerLogoutHandler(
+            new WebSessionServerLogoutHandler(), new SecurityContextServerLogoutHandler()
+    );
+
+    http
+        .authorizeExchange((exchange) -> exchange.anyExchange().authenticated())
+        .logout((logout) -> logout.logoutHandler(logoutHandler));
+
+    return http.build();
+}
+----
