Apply DefaultLoginPageConfigurer before logout

If they are not applied in this order, then the LogoutConfigurer cannot
set the logoutSuccessUrl, because the DefaultLoginPageGeneratingFilter
does not exist yet.
This impacts users that inject the default HttpSecurity bean.

Closes gh-9973

config/src/main/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfiguration.java

@@ -94,8 +94,8 @@ class HttpSecurityConfiguration {
 			.requestCache(withDefaults())
 			.anonymous(withDefaults())
 			.servletApi(withDefaults())
-			.logout(withDefaults())
 			.apply(new DefaultLoginPageConfigurer<>());
+		http.logout(withDefaults());
 		// @formatter:on
 		return http;
 	}

config/src/test/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfigurationTests.java

@@ -187,6 +187,18 @@ public class HttpSecurityConfigurationTests {
 		this.mockMvc.perform(get("/login")).andExpect(status().isOk());
 	}
 
+	@Test
+	public void loginWhenUsingDefaultsThenDefaultLoginFailurePageGenerated() throws Exception {
+		this.spring.register(SecurityEnabledConfig.class).autowire();
+		this.mockMvc.perform(get("/login?error")).andExpect(status().isOk());
+	}
+
+	@Test
+	public void loginWhenUsingDefaultsThenDefaultLogoutSuccessPageGenerated() throws Exception {
+		this.spring.register(SecurityEnabledConfig.class).autowire();
+		this.mockMvc.perform(get("/login?logout")).andExpect(status().isOk());
+	}
+
 	@RestController
 	static class NameController {