Docs

Docs

Add Logout

Learn how to securely logout users from a Vaadin application using Spring Security.

Logging out of an application is just as important as logging in. Leaving a session open for too long or failing to properly close it can lead to serious security risks.

Since Vaadin uses Spring Security for authentication, it also relies on it for logging out and session invalidation.

Important
Vaadin Logout vs. Spring Logout
In a traditional Spring web application, logging out requires sending a POST request to /logout, which must include Spring’s CSRF token. However, Vaadin applications use their own CSRF protection mechanism, making this approach difficult to implement. Additionally, since Vaadin views run on the server, they don’t interact with HTTP requests directly.

Logging Out

Vaadin provides the class AuthenticationContext, which includes a logout() method. Calling this method logs out the user and redirects them to a preconfigured logout success URL.

You typically call logout() from a button or menu item click listener. Here’s how to add a logout button to a view:

Source code
Java
import com.vaadin.flow.spring.security.AuthenticationContext;
import jakarta.annotation.security.PermitAll;

@Route("logout")
@PermitAll 1
public class LogoutView extends Main {

    public LogoutView(AuthenticationContext authenticationContext) { 2
        add(new Button("Logout", event -> authenticationContext.logout()));
    }
}

  1. Grants access to authenticated users — otherwise, users wouldn’t be able to log out.

  2. Injects AuthenticationContext, which is a Spring Bean.

Configuring the Logout Success URL

By default, users are redirected to the root URL (/) after logging out. To change this, specify a custom logout success URL in your security configuration:

Source code
SecurityConfig.java
@EnableWebSecurity
@Configuration
class SecurityConfig {

    @Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        // Configure Vaadin's security using VaadinSecurityConfigurer
        http.with(VaadinSecurityConfigurer.vaadin(), configurer -> {
            configurer.loginView(LoginView.class, "/logged-out.html"); 1
        });
        return http.build();
    }
    ...
}

  1. Sets /logged-out.html as the logout success URL.

If your application runs at https://example.com, users will be redirected to https://example.com/logged-out.html after logging out.

Absolute vs. Relative URLs

The logout success URL can be either absolute or relative.

  • Absolute URLs — Start with https:// or http:// (e.g., https://example.com/logged-out).

  • Relative URLs — Start with / (e.g., /logged-out.html).

Important
Relative logout URLs must include the context path
If your application is deployed at https://example.com/app, the logout URL should be /app/logged-out.html.