How to log-out Spring Security in Vaadin?

Question

Is there a practical working example of how to programmatically log out from Spring Security? I tried many ways, and no one works; the session ID stays valid in the browser.

Here is the code I am using:

activeUserMenu.addItem("Log out", e -> {
        UI.getCurrent().getPage().setLocation("/");
        SecurityContextHolder.clearContext();
        SecurityContextLogoutHandler logoutHandler = new SecurityContextLogoutHandler();
        logoutHandler.logout(
            VaadinServletRequest.getCurrent().getHttpServletRequest(), null,
            null);
        for(Cookie cookie : VaadinServletRequest.getCurrent().getCookies()) {
          cookie.setMaxAge(0);
        }
      });

Notice: I log in through a custom Thymeleaf form. In theory, all I have to do is redirect the browser to "/logout" default Spring URL. But Vaadin tells me that the router does not recognize that URL. I made several other attempts, including using Javascript and handling a get to "/logout". None worked.

Answer 1

I think clearing cookies should work. I use the following to remove a cookie by name in a Vaadin 14 app:

private void removeCookie(String cookieName) {
    Cookie cookie = new Cookie(cookieName, "");
    cookie.setMaxAge(0);
    VaadinResponse.getCurrent().addCookie(cookie);
}

Alternatively you should be able to logout just by invalidating the whole HTTP session: VaadinServletRequest.getCurrent().getHttpServletRequest().getSession().invalidate()

Answer 2

Configure:

http.
...
.logout()
.logoutUrl("/logout")
.invalidateHttpSession(true)
.deleteCookies("JSESSIONID")

then

logoutButton.addClickListener(clickEvent -> {
            UI.getCurrent().getPage().setLocation("/logout");
        });