Fix WebFlux logout disabling

Fixes: gh-7682
2019-11-28 14:40:25 +01:00 · 2019-11-28 14:40:25 +01:00 · b7cb93f671
parent c38e57fa42
commit b7cb93f671
3 changed files with 60 additions and 1 deletions
--- a/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
+++ b/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
@ -2765,7 +2765,9 @@ public class ServerHttpSecurity {
 		protected void configure(ServerHttpSecurity http) {
 			if (this.csrfTokenRepository != null) {
 				this.filter.setCsrfTokenRepository(this.csrfTokenRepository);
-				http.logout().addLogoutHandler(new CsrfServerLogoutHandler(this.csrfTokenRepository));
+				if (ServerHttpSecurity.this.logout != null) {
+					ServerHttpSecurity.this.logout.addLogoutHandler(new CsrfServerLogoutHandler(this.csrfTokenRepository));
+				}
 			}
 			http.addFilterAt(this.filter, SecurityWebFiltersOrder.CSRF);
 		}
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurerTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurerTests.java
@ -458,4 +458,25 @@ public class LogoutConfigurerTests {
 	@EnableWebSecurity
 	static class BasicSecurityConfig extends WebSecurityConfigurerAdapter {
 	}
+
+	@Test
+	public void logoutWhenDisabledThenLogoutUrlNotFound() throws Exception {
+		this.spring.register(LogoutDisabledConfig.class).autowire();
+
+		this.mvc.perform(post("/logout")
+				.with(csrf()))
+				.andExpect(status().isNotFound());
+	}
+
+	@EnableWebSecurity
+	static class LogoutDisabledConfig extends WebSecurityConfigurerAdapter {
+		@Override
+		protected void configure(HttpSecurity http) throws Exception {
+			// @formatter:off
+			http
+				.logout()
+					.disable();
+			// @formatter:on
+		}
+	}
 }
--- a/config/src/test/java/org/springframework/security/config/web/server/LogoutSpecTests.java
+++ b/config/src/test/java/org/springframework/security/config/web/server/LogoutSpecTests.java
@ -164,4 +164,40 @@ public class LogoutSpecTests {
 			.assertAt()
 			.assertLogout();
 	}
+
+	@Test
+	public void logoutWhenDisabledThenPostToLogoutDoesNothing() {
+		SecurityWebFilterChain securityWebFilter = this.http
+				.authorizeExchange()
+				.anyExchange().authenticated()
+				.and()
+				.formLogin().and()
+				.logout().disable()
+				.build();
+
+		WebTestClient webTestClient = WebTestClientBuilder
+				.bindToWebFilters(securityWebFilter)
+				.build();
+
+		WebDriver driver = WebTestClientHtmlUnitDriverBuilder
+				.webTestClientSetup(webTestClient)
+				.build();
+
+		FormLoginTests.DefaultLoginPage loginPage = FormLoginTests.HomePage.to(driver, FormLoginTests.DefaultLoginPage.class)
+				.assertAt();
+
+		FormLoginTests.HomePage homePage = loginPage.loginForm()
+				.username("user")
+				.password("password")
+				.submit(FormLoginTests.HomePage.class);
+
+		homePage.assertAt();
+
+		FormLoginTests.DefaultLogoutPage.to(driver)
+				.assertAt()
+				.logout();
+
+		homePage
+				.assertAt();
+	}
 }