From 2d7bc17dda09aa2a524963ec5f3a3739e977fdd7 Mon Sep 17 00:00:00 2001
From: SippingCode <55111084+SippingCode@users.noreply.github.com>
Date: Tue, 5 May 2020 00:08:00 +0200
Subject: [PATCH] Bael 3970 (#9236)

* Manual logout with Spring Security
- Basic manual logout
- logout with Clear Data Site Header

* Add missing annotation for controller. Change mapping URL value.

* Add intergration tests for manual logouts.

* BAEL-3970 - Add asserts on test. Fix tests names. Remove unused imports.

* BAEL-3970 - Use PostMapping annotation. Remove unnecessary information for security configuration.

* remove logout controllers

* Add multiple entrypoints configurations. Create custom handlers for different logouts (basic, cookie clearing, clear-site-data).

* Refactor configuration with lambda DSL.

* BAEL-3970 - Remove unnecessary handler for basic logout. Fix integration tests for basic logout.
---
 .../SimpleSecurityConfiguration.java          | 58 +++++++++----------
 .../ManualLogoutIntegrationTest.java          |  9 +--
 2 files changed, 29 insertions(+), 38 deletions(-)

diff --git a/spring-5-security/src/main/java/com/baeldung/manuallogout/SimpleSecurityConfiguration.java b/spring-5-security/src/main/java/com/baeldung/manuallogout/SimpleSecurityConfiguration.java
index 63394b64f2..08c2d83b99 100644
--- a/spring-5-security/src/main/java/com/baeldung/manuallogout/SimpleSecurityConfiguration.java
+++ b/spring-5-security/src/main/java/com/baeldung/manuallogout/SimpleSecurityConfiguration.java
@@ -2,14 +2,12 @@ package com.baeldung.manuallogout;
 
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.annotation.Order;
-import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
-import org.springframework.security.web.authentication.logout.CookieClearingLogoutHandler;
 import org.springframework.security.web.authentication.logout.HeaderWriterLogoutHandler;
 import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
-import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices;
 import org.springframework.security.web.header.writers.ClearSiteDataHeaderWriter;
 
 import javax.servlet.http.Cookie;
@@ -26,13 +24,11 @@ public class SimpleSecurityConfiguration {
         @Override
         protected void configure(HttpSecurity http) throws Exception {
             http
-                    .antMatcher("/basic/**")
-                    .authorizeRequests(authz -> authz.anyRequest().permitAll())
-                    .logout(logout -> logout
-                            .logoutUrl("/basic/basiclogout")
-                            .addLogoutHandler(new SecurityContextLogoutHandler())
-                            .addLogoutHandler(new CookieClearingLogoutHandler(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY))
-                    );
+                .antMatcher("/basic/**")
+                .authorizeRequests(authz -> authz.anyRequest().permitAll())
+                .logout(logout -> logout
+                    .logoutUrl("/basic/basiclogout")
+                );
         }
     }
 
@@ -42,20 +38,20 @@ public class SimpleSecurityConfiguration {
         @Override
         protected void configure(HttpSecurity http) throws Exception {
             http
-                    .antMatcher("/cookies/**")
-                    .authorizeRequests(authz -> authz.anyRequest().permitAll())
-                    .logout(logout -> logout
-                            .logoutUrl("/cookies/cookielogout")
-                            .addLogoutHandler(new SecurityContextLogoutHandler())
-                            .addLogoutHandler((request, response, auth) -> {
-                                        for (Cookie cookie : request.getCookies()) {
-                                            String cookieName = cookie.getName();
-                                            Cookie cookieToDelete = new Cookie(cookieName, null);
-                                            cookieToDelete.setMaxAge(0);
-                                            response.addCookie(cookieToDelete);
-                                        }
-                                    }
-                            ));
+                .antMatcher("/cookies/**")
+                .authorizeRequests(authz -> authz.anyRequest().permitAll())
+                .logout(logout -> logout
+                    .logoutUrl("/cookies/cookielogout")
+                    .addLogoutHandler(new SecurityContextLogoutHandler())
+                    .addLogoutHandler((request, response, auth) -> {
+                        for (Cookie cookie : request.getCookies()) {
+                            String cookieName = cookie.getName();
+                            Cookie cookieToDelete = new Cookie(cookieName, null);
+                            cookieToDelete.setMaxAge(0);
+                            response.addCookie(cookieToDelete);
+                        }
+                    })
+                );
         }
     }
 
@@ -64,17 +60,17 @@ public class SimpleSecurityConfiguration {
     public static class ClearSiteDataHeaderLogoutConfiguration extends WebSecurityConfigurerAdapter {
 
         private static final ClearSiteDataHeaderWriter.Directive[] SOURCE =
-                { CACHE, COOKIES, STORAGE, EXECUTION_CONTEXTS };
+            {CACHE, COOKIES, STORAGE, EXECUTION_CONTEXTS};
 
         @Override
         protected void configure(HttpSecurity http) throws Exception {
             http
-                    .antMatcher("/csd/**")
-                    .authorizeRequests(authz -> authz.anyRequest().permitAll())
-                    .logout(logout -> logout
-                            .logoutUrl("/csd/csdlogout")
-                            .addLogoutHandler(new HeaderWriterLogoutHandler(new ClearSiteDataHeaderWriter(SOURCE)))
-                    );
+                .antMatcher("/csd/**")
+                .authorizeRequests(authz -> authz.anyRequest().permitAll())
+                .logout(logout -> logout
+                    .logoutUrl("/csd/csdlogout")
+                    .addLogoutHandler(new HeaderWriterLogoutHandler(new ClearSiteDataHeaderWriter(SOURCE)))
+                );
         }
     }
 }
diff --git a/spring-5-security/src/test/java/com/baeldung/manuallogout/ManualLogoutIntegrationTest.java b/spring-5-security/src/test/java/com/baeldung/manuallogout/ManualLogoutIntegrationTest.java
index 09e7daf877..8909dc2620 100644
--- a/spring-5-security/src/test/java/com/baeldung/manuallogout/ManualLogoutIntegrationTest.java
+++ b/spring-5-security/src/test/java/com/baeldung/manuallogout/ManualLogoutIntegrationTest.java
@@ -39,15 +39,10 @@ public class ManualLogoutIntegrationTest {
     @Test
     public void givenLoggedUserWhenUserLogoutThenSessionClearedAndNecessaryCookieCleared() throws Exception {
 
-        MockHttpServletRequest requestStateAfterLogout = this.mockMvc.perform(post("/basic/basiclogout").secure(true).with(csrf()))
+        this.mockMvc.perform(post("/basic/basiclogout").secure(true).with(csrf()))
                 .andExpect(status().is3xxRedirection())
                 .andExpect(unauthenticated())
-                .andExpect(cookie().maxAge(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY, 0))
-                .andReturn()
-                .getRequest();
-
-        HttpSession sessionStateAfterLogout = requestStateAfterLogout.getSession();
-        assertNull(sessionStateAfterLogout.getAttribute(ATTRIBUTE_NAME));
+                .andReturn();
     }
 
     @WithMockUser(value = "spring")