SEC-1280: NullPointerException in PersistentTokenBasedRememberMeServices when logging out twice. Added check for null authentication in logout method.

web/src/main/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServices.java

@@ -142,7 +142,10 @@ public class PersistentTokenBasedRememberMeServices extends AbstractRememberMeSe
     @Override
     public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
         super.logout(request, response, authentication);
-        tokenRepository.removeUserTokens(authentication.getName());
+
+        if (authentication != null) {
+            tokenRepository.removeUserTokens(authentication.getName());
+        }
     }
 
     protected String generateSeriesData() {

web/src/test/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServicesTests.java

@@ -121,6 +121,9 @@ public class PersistentTokenBasedRememberMeServicesTests {
         Cookie returnedCookie = response.getCookie("mycookiename");
         assertNotNull(returnedCookie);
         assertEquals(0, returnedCookie.getMaxAge());
+        
+        // SEC-1280
+        services.logout(request, response, null);
     }
 
     private class MockTokenRepository implements PersistentTokenRepository {