diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurer.java index cf73917b0b..070da7f26e 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurer.java @@ -23,6 +23,7 @@ import javax.servlet.http.HttpSession; import org.springframework.security.config.annotation.SecurityConfigurer; import org.springframework.security.config.annotation.web.HttpSecurityBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.core.Authentication; import org.springframework.security.web.authentication.logout.CookieClearingLogoutHandler; import org.springframework.security.web.authentication.logout.LogoutFilter; import org.springframework.security.web.authentication.logout.LogoutHandler; @@ -88,6 +89,17 @@ public final class LogoutConfigurer> extends return this; } + /** + * Specifies if {@link SecurityContextLogoutHandler} should clear the {@link Authentication} at the time of logout. + * @param clearAuthentication true {@link SecurityContextLogoutHandler} should clear the {@link Authentication} (default), or false otherwise. + * @return the {@link LogoutConfigurer} for further customization + */ + public LogoutConfigurer clearAuthentication(boolean clearAuthentication) { + contextLogoutHandler.setClearAuthentication(clearAuthentication); + return this; + } + + /** * Configures {@link SecurityContextLogoutHandler} to invalidate the * {@link HttpSession} at the time of logout. diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpSecurityLogoutTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpSecurityLogoutTests.java new file mode 100644 index 0000000000..4d6939e6f0 --- /dev/null +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpSecurityLogoutTests.java @@ -0,0 +1,112 @@ +/* + * Copyright 2002-2015 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.springframework.security.config.annotation.web.configurers; + +import static org.fest.assertions.Assertions.assertThat; + +import javax.servlet.http.HttpServletResponse; + +import org.junit.After; +import org.junit.Before; +import org.junit.Test; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Configuration; +import org.springframework.mock.web.MockFilterChain; +import org.springframework.mock.web.MockHttpServletRequest; +import org.springframework.mock.web.MockHttpServletResponse; +import org.springframework.security.authentication.TestingAuthenticationToken; +import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.core.context.SecurityContext; +import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.security.web.FilterChainProxy; +import org.springframework.security.web.context.HttpSessionSecurityContextRepository; +import org.springframework.web.context.support.AnnotationConfigWebApplicationContext; + +/** + * @author Rob Winch + * + */ +public class HttpSecurityLogoutTests { + AnnotationConfigWebApplicationContext context; + + MockHttpServletRequest request; + MockHttpServletResponse response; + MockFilterChain chain; + + @Autowired + FilterChainProxy springSecurityFilterChain; + + @Before + public void setup() { + request = new MockHttpServletRequest(); + response = new MockHttpServletResponse(); + chain = new MockFilterChain(); + } + + @After + public void cleanup() { + if(context != null) { + context.close(); + } + } + + // SEC-2848 + @Test + public void clearAuthenticationFalse() throws Exception { + loadConfig(ClearAuthenticationFalseConfig.class); + + SecurityContext currentContext = SecurityContextHolder.createEmptyContext(); + currentContext.setAuthentication(new TestingAuthenticationToken("user", "password","ROLE_USER")); + + request.getSession().setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, currentContext); + request.setMethod("POST"); + request.setServletPath("/logout"); + + springSecurityFilterChain.doFilter(request, response, chain); + + assertThat(currentContext.getAuthentication()).isNotNull(); + } + + @EnableWebSecurity + @Configuration + static class ClearAuthenticationFalseConfig extends WebSecurityConfigurerAdapter { + protected void configure(HttpSecurity http) throws Exception { + http + .csrf().disable() + .logout() + .clearAuthentication(false); + } + + @Override + protected void configure(AuthenticationManagerBuilder auth) throws Exception { + auth + .inMemoryAuthentication(); + } + } + + public void loadConfig(Class... configs) { + context = new AnnotationConfigWebApplicationContext(); + context.register(configs); + context.refresh(); + + context.getAutowireCapableBeanFactory().autowireBean(this); + } + + +}