SEC-1280: NullPointerException in PersistentTokenBasedRememberMeServices when logging out twice. Added check for null authentication in logout method.

web/src/main/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServices.java

@@ -142,8 +142,11 @@ public class PersistentTokenBasedRememberMeServices extends AbstractRememberMeSe
     @Override
     public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
         super.logout(request, response, authentication);
+
+        if (authentication != null) {
             tokenRepository.removeUserTokens(authentication.getName());
         }
+    }
 
     protected String generateSeriesData() {
         byte[] newSeries = new byte[seriesLength];

web/src/test/java/org/springframework/security/web/authentication/rememberme/PersistentTokenBasedRememberMeServicesTests.java

@@ -121,6 +121,9 @@ public class PersistentTokenBasedRememberMeServicesTests {
         Cookie returnedCookie = response.getCookie("mycookiename");
         assertNotNull(returnedCookie);
         assertEquals(0, returnedCookie.getMaxAge());
+        
+        // SEC-1280
+        services.logout(request, response, null);
     }
 
     private class MockTokenRepository implements PersistentTokenRepository {