Fix WebFlux logout disabling

Fixes: gh-7682
2019-11-28 14:40:25 +01:00 · 2019-11-28 14:40:25 +01:00 · b7cb93f671
parent c38e57fa42
commit b7cb93f671
3 changed files with 60 additions and 1 deletions
--- a/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
+++ b/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
@ -2765,7 +2765,9 @@ public class ServerHttpSecurity {
 		protected void configure(ServerHttpSecurity http) {
 			if (this.csrfTokenRepository != null) {
 				this.filter.setCsrfTokenRepository(this.csrfTokenRepository);
-				http.logout().addLogoutHandler(new CsrfServerLogoutHandler(this.csrfTokenRepository));
+				if (ServerHttpSecurity.this.logout != null) {
 					ServerHttpSecurity.this.logout.addLogoutHandler(new CsrfServerLogoutHandler(this.csrfTokenRepository));
 				}
 			}
 			http.addFilterAt(this.filter, SecurityWebFiltersOrder.CSRF);
 		}
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurerTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurerTests.java
@ -458,4 +458,25 @@ public class LogoutConfigurerTests {
 	@EnableWebSecurity
 	static class BasicSecurityConfig extends WebSecurityConfigurerAdapter {
 	}
 	@Test
 	public void logoutWhenDisabledThenLogoutUrlNotFound() throws Exception {
 		this.spring.register(LogoutDisabledConfig.class).autowire();
 		this.mvc.perform(post("/logout")
 				.with(csrf()))
 				.andExpect(status().isNotFound());
 	}
 	@EnableWebSecurity
 	static class LogoutDisabledConfig extends WebSecurityConfigurerAdapter {
 		@Override
 		protected void configure(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
 				.logout()
 					.disable();
 			// @formatter:on
 		}
 	}
 }
--- a/config/src/test/java/org/springframework/security/config/web/server/LogoutSpecTests.java
+++ b/config/src/test/java/org/springframework/security/config/web/server/LogoutSpecTests.java
@ -164,4 +164,40 @@ public class LogoutSpecTests {
 			.assertAt()
 			.assertLogout();
 	}
 	@Test
 	public void logoutWhenDisabledThenPostToLogoutDoesNothing() {
 		SecurityWebFilterChain securityWebFilter = this.http
 				.authorizeExchange()
 				.anyExchange().authenticated()
 				.and()
 				.formLogin().and()
 				.logout().disable()
 				.build();
 		WebTestClient webTestClient = WebTestClientBuilder
 				.bindToWebFilters(securityWebFilter)
 				.build();
 		WebDriver driver = WebTestClientHtmlUnitDriverBuilder
 				.webTestClientSetup(webTestClient)
 				.build();
 		FormLoginTests.DefaultLoginPage loginPage = FormLoginTests.HomePage.to(driver, FormLoginTests.DefaultLoginPage.class)
 				.assertAt();
 		FormLoginTests.HomePage homePage = loginPage.loginForm()
 				.username("user")
 				.password("password")
 				.submit(FormLoginTests.HomePage.class);
 		homePage.assertAt();
 		FormLoginTests.DefaultLogoutPage.to(driver)
 				.assertAt()
 				.logout();
 		homePage
 				.assertAt();
 	}
 }