Logout requires POST

Issue: gh-4734

config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java

@@ -641,31 +641,26 @@ public class ServerHttpSecurity {
 	 * @since 5.0
 	 */
 	public final class LogoutBuilder {
-
+		private LogoutWebFilter logoutWebFilter = new LogoutWebFilter();
-		private ServerLogoutHandler serverLogoutHandler = new SecurityContextServerLogoutHandler();
-
-		private ServerLogoutSuccessHandler logoutSuccessHandler;
-
-		private String logoutUrl = "/logout";
-
-		private ServerWebExchangeMatcher requiresLogout = ServerWebExchangeMatchers
-			.pathMatchers(this.logoutUrl);
 
 		public LogoutBuilder logoutHandler(ServerLogoutHandler serverLogoutHandler) {
-			Assert.notNull(serverLogoutHandler, "logoutHandler must not be null");
+			this.logoutWebFilter.setServerLogoutHandler(serverLogoutHandler);
-			this.serverLogoutHandler = serverLogoutHandler;
 			return this;
 		}
 
 		public LogoutBuilder logoutUrl(String logoutUrl) {
-			Assert.notNull(this.serverLogoutHandler, "logoutUrl must not be null");
+			Assert.notNull(logoutUrl, "logoutUrl must not be null");
-			this.logoutUrl = logoutUrl;
+			ServerWebExchangeMatcher requiresLogout = ServerWebExchangeMatchers.pathMatchers(HttpMethod.POST, logoutUrl);
-			this.requiresLogout = ServerWebExchangeMatchers.pathMatchers(logoutUrl);
+			return requiresLogout(requiresLogout);
+		}
+
+		public LogoutBuilder requiresLogout(ServerWebExchangeMatcher requiresLogout) {
+			this.logoutWebFilter.setRequiresLogout(requiresLogout);
 			return this;
 		}
 
 		public LogoutBuilder logoutSuccessHandler(ServerLogoutSuccessHandler handler) {
-			this.logoutSuccessHandler = handler;
+			this.logoutWebFilter.setServerLogoutSuccessHandler(handler);
 			return this;
 		}
 
@@ -679,19 +674,7 @@ public class ServerHttpSecurity {
 		}
 
 		public void configure(ServerHttpSecurity http) {
-			LogoutWebFilter logoutWebFilter = createLogoutWebFilter(http);
+			http.addFilterAt(this.logoutWebFilter, SecurityWebFiltersOrder.LOGOUT);
-			http.addFilterAt(logoutWebFilter, SecurityWebFiltersOrder.LOGOUT);
-		}
-
-		private LogoutWebFilter createLogoutWebFilter(ServerHttpSecurity http) {
-			LogoutWebFilter logoutWebFilter = new LogoutWebFilter();
-			logoutWebFilter.setServerLogoutHandler(this.serverLogoutHandler);
-			logoutWebFilter.setRequiresLogout(this.requiresLogout);
-			if(this.logoutSuccessHandler != null) {
-				logoutWebFilter.setServerLogoutSuccessHandler(this.logoutSuccessHandler);
-			}
-
-			return logoutWebFilter;
 		}
 
 		private LogoutBuilder() {}

web/src/main/java/org/springframework/security/web/server/authentication/logout/LogoutWebFilter.java

@@ -16,6 +16,7 @@
 
 package org.springframework.security.web.server.authentication.logout;
 
+import org.springframework.http.HttpMethod;
 import org.springframework.security.core.context.ReactiveSecurityContextHolder;
 import org.springframework.util.Assert;
 import reactor.core.publisher.Mono;
@@ -46,7 +47,7 @@ public class LogoutWebFilter implements WebFilter {
 	private ServerLogoutSuccessHandler serverLogoutSuccessHandler = new RedirectServerLogoutSuccessHandler();
 
 	private ServerWebExchangeMatcher requiresLogout = ServerWebExchangeMatchers
-		.pathMatchers("/logout");
+		.pathMatchers(HttpMethod.POST, "/logout");
 
 	@Override
 	public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {