java - Spring Security Logout From Stateless server -

i creating stateless rest api spring boot. therefore using token based authentication.

currently logout functionality implemented on client side. clear cookies.

problem user object seems survive request still exists in next requests. service current user simply:

@service public class userservice {   private user user;    @autowired   private userrepository;    public user get() {     if (user != null) {       return user;     }     integer id = (integer) securitycontextholder.getcontext().getauthentication().getprincipal();     user = userrepository.findbyid(id);     return user;   } } 

i expect user variable null on every request? funny thing correct user id set in security context. service returns user object because exists.

you shouldn't use user class attribute.

userservice singleton, happens when have concurrent requests coming different users? move variable inside method.

moreover, if using jwt token based authentication take @ project.

with jwt can retrieve user required informations directly token without performing queries.