Spring Security - Logout

Last Updated : 7 Mar, 2026

Spring Security logout process involves invalidating the user's session and optionally cleaning up any related security context that identifies the user's session. It provides default logout handling mechanisms that can be customized through the application security configuration.

When the user logs out

  • The authentication is cleared from the current SecurityContext and it ensures the user is no longer recognized as the authenticated of the application.
  • The user's session is invalidated.
  • Optional the cookies can be cleared then the other cleanup activities can be performed.

Implementation of the Spring Security - Logout

Below are the implementation steps of the logout mechanism in Spring Security.

Step 1: Create a Spring Boot Project

Create a new project using Spring Initializr with the following configuration:

Project Setup

  • Project: Maven
  • Language: Java
  • Spring Boot: Latest version
  • Packaging: JAR
  • Java: 17 or later

Dependencies

  • Spring Web
  • Spring Security
  • Lombok
  • Spring DevTools
  • Thymeleaf

Once the project is created, the file structure will resemble the following:

Folder Structure

Step 2: Configure Security Credentials

Open the application.properties file and add the security username and password configuration for the Spring Security application:

Java 
spring.application.name=spring-security-logout

server.port=8080

spring.security.user.name=user
spring.security.user.password=user

Step 3: Create the Security Configuration class.

We create the SecurityConfig class to configure Spring Security in the project. Go src > org.example.springsecuritylogout > config > SecurityConfig and put the below code.

Java 
package org.example.springsecuritylogout.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {

        http
            .authorizeHttpRequests(auth -> auth
                .anyRequest().authenticated()
            )
            .formLogin(Customizer.withDefaults())
            .logout(logout -> logout
                .logoutSuccessUrl("/login?logout")
                .invalidateHttpSession(true)
                .deleteCookies("JSESSIONID")
                .permitAll()
            );

        return http.build();
    }
}

Step 4: Create the Controller class.

We create the HomeController class to create the home REST API of the Spring project. Go src > org.example.springsecuritylogout > controller > HomeController and put the below code.

Java 
package org.example.springsecuritylogout.controller;

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;

@Controller
public class HomeController {

    @GetMapping("/")
    public String home() {
        return "home";
    }

    @GetMapping("/login")
    public String login() {
        return "login";
    }
}

Step 5: Main Class(No Changes are required)

Go src > org.example.springsecuritylogout > SpringSecurityLogoutApplication and put the below code.

Java 
package org.example.springsecuritylogout;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;

@SpringBootApplication
public class SpringSecurityLogoutApplication {

    public static void main(String[] args) {
        SpringApplication.run(SpringSecurityLogoutApplication.class, args);
    }

}

Step 6: Create the Home HTML page.

We will now create the Home page for the Spring application. Go src > main > resources > templates > Home.html and put the below code.

HTML 
<!DOCTYPE html>
<html>
<head>
    <title>Home Page</title>
    <style>
        body {
            font-family: Arial, sans-serif; /* Sets the font for the body */
            background-color: #f4f4f9; /* Light grey background */
            margin: 40px; /* Adds margin around the body */
        }
        h1 {
            color: #333; /* Dark grey color for the heading */
        }
        a {
            color: #007BFF; /* Bootstrap primary blue color for links */
            text-decoration: none; /* Removes underline from links */
            font-weight: bold; /* Makes the text bold */
        }
        a:hover {
            color: #0056b3; /* Darker blue color on hover */
            text-decoration: underline; /* Adds underline on hover */
        }
    </style>
</head>
<body>
<h1>Welcome to the Home Page!</h1>
<a href="/logout">Logout</a>
</body>
</html>

Step 7: Run the Application

Finally, we will run the application then it will be start at port number 8080.

Application Runs

Step 7: Test the Application

Endpoint API:

http://localhost:8080/

If user not login into the application its redirects to the /login endpoint of the Spring application.

  • Username: user
  • password: user

Output:

Sign in Page

Once logged into the application, it goes to the below URL.

http://localhost:8080/?continue

Output:

Home Page

Click on the logout button, then its redirects to the below URL.

http://localhost:8080/logout

Output:

Log out popup

Once the user logs out of the application, they are redirected to the login page.

http://localhost:8080/login?logout

Output:

Sign out


Comment
Article Tags:
Advance Java
Java-Spring-Security

Explore