I just announced the newSpring Security 5 modules (primarily focused on OAuth2) in the course:


1. Overview

This article is building on top of our Form Login tutorial and is going to focus on the how to configure Logout with Spring Security.

2. Basic Configuration

The basic configuration of Spring Logout functionality using the security namespace support is simple enough:




The element enables the default logout mechanism – which is configured to use the following logout url: /logout which used to be /j_spring_security_logout before Spring Security 4.

3. The JSP and the Logout Link

Continuing this simple example, the way to provide a logout link in the web application is:

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
      <a href="<c:url value="/logout" />">Logout</a>

4. Advanced Customizations

4.1. logout-success-url

After the logout process is performed successfully, Spring Security will redirect the user to a specified page. By default, this is the root page (“/”) but this is configurable in the namespace:

<logout logout-success-url="/afterlogout.html" />

Depending on the application, a good practice is to redirect the user back to the login page:

<logout logout-success-url="/login.html" />

4.2. logout-url

Similar to other defaults in Spring Security, the URL that actually triggers the logout mechanism has a default as well – /logout.

It is, however, a good idea to change this default value, to make sure that no information is published about what framework is used to secure the application:

  logout-url="/perform_logout" />

4.3. invalidate-session and delete-cookie

These two advanced attributes control the session invalidation as well as a list of cookies to be deleted when the user logs out. As such, invalidate-session allows the session to be set up so that it’s not invalidated when logout occurs (it’s true by default).

The delete-cookie attribute is simple as well:

  delete-cookies="JSESSIONID" />

4.4. success-handler-ref

For more advanced scenarios, where the namespace is not flexible enough, the LogoutSuccessHandler bean from the Spring Context can be replaced by a custom reference:

  success-handler-ref="customLogoutSuccessHandler" />

<beans:bean name="customUrlLogoutSuccessHandler" />

Any custom application logic that needs to run when the user successfully logs out can be implemented with custom logout success handler. For example – a simple audit mechanism keeping track of the last page the user was on when they triggered logout:

public class CustomLogoutSuccessHandler extends 
  SimpleUrlLogoutSuccessHandler implements LogoutSuccessHandler {

    private AuditService auditService; 

    public void onLogoutSuccess(
      HttpServletRequest request, 
      HttpServletResponse response, 
      Authentication authentication) 
      throws IOException, ServletException {
        String refererUrl = request.getHeader("Referer");
        auditService.track("Logout from: " + refererUrl);

        super.onLogoutSuccess(request, response, authentication);

Also, keep in mind that this custom bean has the responsibility to determine the destination to which the user is directed after logging out. Because of this, pairing the success-handler-ref attribute with logout-success-url is not going to work, as both cover similar functionality; the end result would be:

Configuration problem: Use logout-success-url or success-handler-ref, but not both

5. Conclusion

In this example, we started by setting up a simple logout sample with Spring Security, and we then discussed the more advanced options available on the namespace element.

The implementation of this Spring Logout Tutorial can be found in the GitHub project – this is an Eclipse based project, so it should be easy to import and run as it is.

When the project runs locally, the sample HTML can be accessed at:


I just announced the new Spring Security 5 modules (primarily focused on OAuth2) in the course:


newest oldest most voted
Notify of

I have been looking for a recipe for the proper way to log out of a secure https connection (e.g., two-way SSL using a smart card or browser-installed X.509 certs), possibly to a http page. There are many little details, and missing any of them results in security loopholes or a user remaining logged-in. It seems like such an important pattern that people shouldn’t re-invent it from scratch, and it is independent of any front-end framework (Angular, Ember, et al) chosen.


Hi there. I got a problem with my java web project. I add a ‘remember me’ check box in my login form. And when it’s ticked, I simply cannot logout successfully, and my page will remain authenticated. Please help me…thank you.

Grzegorz Piwowarek

Shahril, your question can’t be answered without looking at the code. I suggesting posting here a link to the code on GitHub or going straight to StackOverFlow and also posting a link here. In the second option, you will probably get the response faster

Matthias Bachmann

Hi there. I was trying your example at https://github.com/eugenp/tutorials/tree/master/spring-security-mvc-login. It s working fine at logout with Chrome and Firefox. The logged out successfully message apears. With IE 11, I always get a “Session Timed Out” message instead of the “You logged out successfully” message. The Network Analysis at IE 11 shows, that the URL “/logout.html?logSucc=true” is correctly called.

Grzegorz Piwowarek

Yeah, this is how working with IE looks in practice 😀

Matthias Bachmann

But how to solve it? Is there a work around?

Grzegorz Piwowarek

Well, there must be. I am afraid I can’t help in here, I have not been using IE for many years for now.