From 6de345b972e551164dc3e22942daf29515782938 Mon Sep 17 00:00:00 2001 From: Rob Winch Date: Mon, 30 Mar 2020 16:18:02 -0500 Subject: [PATCH] Fix HttpServlet3RequestFactory Logout Handlers Previously there was a problem with Servlet API logout integration when Servlet API was configured before log out. This ensures that logout handlers is a reference to the logout handlers vs copying the logout handlers. This ensures that the ordering does not matter. Closes gh-4760 --- .../web/servletapi/HttpServlet3RequestFactory.java | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/web/src/main/java/org/springframework/security/web/servletapi/HttpServlet3RequestFactory.java b/web/src/main/java/org/springframework/security/web/servletapi/HttpServlet3RequestFactory.java index d76b289e5a..46a124471b 100644 --- a/web/src/main/java/org/springframework/security/web/servletapi/HttpServlet3RequestFactory.java +++ b/web/src/main/java/org/springframework/security/web/servletapi/HttpServlet3RequestFactory.java @@ -42,7 +42,6 @@ import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.context.SecurityContext; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.web.AuthenticationEntryPoint; -import org.springframework.security.web.authentication.logout.CompositeLogoutHandler; import org.springframework.security.web.authentication.logout.LogoutHandler; import org.springframework.util.Assert; import org.springframework.util.CollectionUtils; @@ -82,7 +81,7 @@ final class HttpServlet3RequestFactory implements HttpServletRequestFactory { private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl(); private AuthenticationEntryPoint authenticationEntryPoint; private AuthenticationManager authenticationManager; - private LogoutHandler logoutHandler; + private List logoutHandlers; HttpServlet3RequestFactory(String rolePrefix) { this.rolePrefix = rolePrefix; @@ -146,7 +145,7 @@ final class HttpServlet3RequestFactory implements HttpServletRequestFactory { * {@link HttpServletRequest#logout()}. */ public void setLogoutHandlers(List logoutHandlers) { - this.logoutHandler = CollectionUtils.isEmpty(logoutHandlers) ? null : new CompositeLogoutHandler(logoutHandlers); + this.logoutHandlers = logoutHandlers; } /** @@ -246,8 +245,8 @@ final class HttpServlet3RequestFactory implements HttpServletRequestFactory { @Override public void logout() throws ServletException { - LogoutHandler handler = HttpServlet3RequestFactory.this.logoutHandler; - if (handler == null) { + List handlers = HttpServlet3RequestFactory.this.logoutHandlers; + if (CollectionUtils.isEmpty(handlers)) { HttpServlet3RequestFactory.this.logger.debug( "logoutHandlers is null, so allowing original HttpServletRequest to handle logout"); super.logout(); @@ -255,7 +254,9 @@ final class HttpServlet3RequestFactory implements HttpServletRequestFactory { } Authentication authentication = SecurityContextHolder.getContext() .getAuthentication(); - handler.logout(this, this.response, authentication); + for (LogoutHandler handler : handlers) { + handler.logout(this, this.response, authentication); + } } private boolean isAuthenticated() {