diff --git a/docs/src/main/asciidoc/security-authentication-mechanisms.adoc b/docs/src/main/asciidoc/security-authentication-mechanisms.adoc index 6e7a63d589538..108657ce55dc0 100644 --- a/docs/src/main/asciidoc/security-authentication-mechanisms.adoc +++ b/docs/src/main/asciidoc/security-authentication-mechanisms.adoc @@ -91,6 +91,83 @@ quarkus.http.auth.form.landing-page= # do not redirect, respond with HTTP 401 Unauthorized quarkus.http.auth.form.login-page= quarkus.http.auth.form.error-page= + +# HttpOnly must be false if you want to logout on the client, it can be true if logging out on from the server +quarkus.http.auth.form.http-only-cookie=false +---- + +Now that you have disabled redirects for the SPA, you must login and logout programmatically from your client. +Below are example JavaScript methods for logging into the `j_security_check` endpoint and logging out of the application by destroying the cookie. + +[source,javascript] +---- +const login = () => { + // Create an object to represent the form data + const formData = new URLSearchParams(); + formData.append("j_username", username); + formData.append("j_password", password); + + // Make an HTTP POST request using fetch against j_security_check endpoint + fetch("j_security_check", { + method: "POST", + body: formData, + headers: { + "Content-Type": "application/x-www-form-urlencoded", + }, + }) + .then((response) => { + if (response.status === 200) { + // Authentication was successful + console.log("Authentication successful"); + } else { + // Authentication failed + console.error("Invalid credentials"); + } + }) + .catch((error) => { + console.error(error); + }); +}; +---- + +To logout of the SPA from the client the cookie must be set to `quarkus.http.auth.form.http-only-cookie=false` so you can destroy +the cookie and possibly redirect back to your main page. + +[source,javascript] +---- +const logout= () => { + // delete the credential cookie essentially killing the session + const removeCookie = `quarkus-credential=; Max-Age=0;path=/`; + document.cookie = removeCookie; + + // perform post logout actions here such as redirecting back to your login page +}; +---- + +To logout of the SPA from the server the cookie can be set to `quarkus.http.auth.form.http-only-cookie=true` and use this example +code to destroy the cookie. + +[source,java] +---- +@ConfigProperty(name = "quarkus.http.auth.form.cookie-name") +String cookieName; + +@Inject +CurrentIdentityAssociation identity; + +@POST +public Response logout() { + if (identity.getIdentity().isAnonymous()) { + throw new UnauthorizedException("Not authenticated"); + } + final NewCookie removeCookie = new NewCookie.Builder(cookieName) + .maxAge(0) + .expiry(Date.from(Instant.EPOCH)) + .path("/") + .build(); + return Response.noContent().cookie(removeCookie).build(); +} + ---- The following properties can be used to configure form-based authentication: