From 07e0b1dc37c2b5f6ffc205ac68fe60dc730e010e Mon Sep 17 00:00:00 2001
From: Andreas Asplund <andreas@asplund.biz>
Date: Thu, 1 Feb 2024 21:26:17 +0100
Subject: [PATCH] Saml2 LogoutFilter Is Placed Before Common LogoutFilter

Closes gh-14525
---
 .../configurers/saml2/Saml2LogoutConfigurer.java  | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LogoutConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LogoutConfigurer.java
index a54bbbc62f..04deca6960 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LogoutConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LogoutConfigurer.java
@@ -268,12 +268,14 @@ public final class Saml2LogoutConfigurer<H extends HttpSecurityBuilder<H>>
 		return postProcess(logoutResponseFilter);
 	}
 
-	private LogoutFilter createRelyingPartyLogoutFilter(RelyingPartyRegistrationResolver registrations) {
+	private Saml2RelyingPartyInitiatedLogoutFilter createRelyingPartyLogoutFilter(
+			RelyingPartyRegistrationRepository registrations) {
 		LogoutHandler[] logoutHandlers = this.logoutHandlers.toArray(new LogoutHandler[0]);
 		Saml2RelyingPartyInitiatedLogoutSuccessHandler logoutRequestSuccessHandler = createSaml2LogoutRequestSuccessHandler(
 				registrations);
 		logoutRequestSuccessHandler.setLogoutRequestRepository(this.logoutRequestConfigurer.logoutRequestRepository);
-		LogoutFilter logoutFilter = new LogoutFilter(logoutRequestSuccessHandler, logoutHandlers);
+		Saml2RelyingPartyInitiatedLogoutFilter logoutFilter = new Saml2RelyingPartyInitiatedLogoutFilter(
+				logoutRequestSuccessHandler, logoutHandlers);
 		logoutFilter.setLogoutRequestMatcher(createLogoutMatcher());
 		return postProcess(logoutFilter);
 	}
@@ -568,4 +570,13 @@ public final class Saml2LogoutConfigurer<H extends HttpSecurityBuilder<H>>
 
 	}
 
+	private static class Saml2RelyingPartyInitiatedLogoutFilter extends LogoutFilter {
+
+		public Saml2RelyingPartyInitiatedLogoutFilter(LogoutSuccessHandler logoutSuccessHandler,
+				LogoutHandler... handlers) {
+			super(logoutSuccessHandler, handlers);
+		}
+
+	}
+
 }