Logout defaults to use Global SecurityContextServerLogoutHandler

Closes gh-8375
2025-06-21 19:42:13 +00:00 · 2020-04-13 12:32:59 -05:00 · 2020-04-13 12:32:59 -05:00 · 1b91259412
commit 1b91259412
parent 9d3ea58bb1
2 changed files with 49 additions and 1 deletions
--- a/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
+++ b/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
@ -2412,7 +2412,9 @@ public class ServerHttpSecurity {
 	 */
 	public final class LogoutSpec {
 		private LogoutWebFilter logoutWebFilter = new LogoutWebFilter();
-		private List<ServerLogoutHandler> logoutHandlers = new ArrayList<>(Arrays.asList(new SecurityContextServerLogoutHandler()));
+		private final SecurityContextServerLogoutHandler DEFAULT_LOGOUT_HANDLER = new SecurityContextServerLogoutHandler();
+		private List<ServerLogoutHandler> logoutHandlers = new ArrayList<>(Arrays.asList(this.DEFAULT_LOGOUT_HANDLER));
+

 		/**
 		 * Configures the logout handler. Default is {@code SecurityContextServerLogoutHandler}
@ -2476,6 +2478,10 @@ public class ServerHttpSecurity {
 		}

 		private Optional<ServerLogoutHandler> createLogoutHandler() {
+			ServerSecurityContextRepository securityContextRepository = ServerHttpSecurity.this.securityContextRepository;
+			if (securityContextRepository != null) {
+				this.DEFAULT_LOGOUT_HANDLER.setSecurityContextRepository(securityContextRepository);
+			}
 			if (this.logoutHandlers.isEmpty()) {
 				return Optional.empty();
 			}
--- a/config/src/test/java/org/springframework/security/config/web/server/LogoutSpecTests.java
+++ b/config/src/test/java/org/springframework/security/config/web/server/LogoutSpecTests.java
@ -21,6 +21,7 @@ import org.openqa.selenium.WebDriver;
 import org.springframework.security.config.annotation.web.reactive.ServerHttpSecurityConfigurationBuilder;
 import org.springframework.security.htmlunit.server.WebTestClientHtmlUnitDriverBuilder;
 import org.springframework.security.web.server.SecurityWebFilterChain;
+import org.springframework.security.web.server.context.WebSessionServerSecurityContextRepository;
 import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers;
 import org.springframework.test.web.reactive.server.WebTestClient;
 import org.springframework.security.test.web.reactive.server.WebTestClientBuilder;
@ -117,4 +118,45 @@ public class LogoutSpecTests {
 			.assertAt()
 			.assertLogout();
 	}
+
+	@Test
+	public void logoutWhenCustomSecurityContextRepositoryThenLogsOut() {
+		WebSessionServerSecurityContextRepository repository = new WebSessionServerSecurityContextRepository();
+		repository.setSpringSecurityContextAttrName("CUSTOM_CONTEXT_ATTR");
+		SecurityWebFilterChain securityWebFilter = this.http
+						.securityContextRepository(repository)
+						.authorizeExchange()
+							.anyExchange().authenticated()
+							.and()
+						.formLogin()
+							.and()
+						.logout()
+							.and()
+						.build();
+
+				WebTestClient webTestClient = WebTestClientBuilder
+						.bindToWebFilters(securityWebFilter)
+						.build();
+
+				WebDriver driver = WebTestClientHtmlUnitDriverBuilder
+						.webTestClientSetup(webTestClient)
+						.build();
+
+				FormLoginTests.DefaultLoginPage loginPage = FormLoginTests.HomePage.to(driver, FormLoginTests.DefaultLoginPage.class)
+						.assertAt();
+
+				FormLoginTests.HomePage homePage = loginPage.loginForm()
+						.username("user")
+						.password("password")
+						.submit(FormLoginTests.HomePage.class);
+
+				homePage.assertAt();
+
+				FormLoginTests.DefaultLogoutPage.to(driver)
+						.assertAt()
+						.logout();
+
+				FormLoginTests.HomePage.to(driver, FormLoginTests.DefaultLoginPage.class)
+						.assertAt();
+	}
 }