Support new event for indicates logout success

Fixes gh-3307

Author: kazuki43zoo

config/src/main/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurer.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2013 the original author or authors.
+ * Copyright 2002-2016 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -30,6 +30,7 @@
 import org.springframework.security.web.authentication.logout.LogoutFilter;
 import org.springframework.security.web.authentication.logout.LogoutHandler;
 import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
+import org.springframework.security.web.authentication.logout.LogoutSuccessEventPublishingLogoutHandler;
 import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
 import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler;
 import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
@@ -60,6 +61,7 @@
  * No shared objects are used.
  *
  * @author Rob Winch
+ * @author Kazuki Shimizu
  * @since 3.2
  * @see RememberMeConfigurer
  */
@@ -85,7 +87,7 @@ public LogoutConfigurer() {
 	}
 
 	/**
-	 * Adds a {@link LogoutHandler}. The {@link SecurityContextLogoutHandler} is added as
+	 * Adds a {@link LogoutHandler}. {@link SecurityContextLogoutHandler} and {@link LogoutSuccessEventPublishingLogoutHandler} are added as
 	 * the last {@link LogoutHandler} by default.
 	 *
 	 * @param logoutHandler the {@link LogoutHandler} to add
@@ -329,6 +331,7 @@ List<LogoutHandler> getLogoutHandlers() {
 	 */
 	private LogoutFilter createLogoutFilter(H http) throws Exception {
 		logoutHandlers.add(contextLogoutHandler);
+		logoutHandlers.add(postProcess(new LogoutSuccessEventPublishingLogoutHandler()));
 		LogoutHandler[] handlers = logoutHandlers
 				.toArray(new LogoutHandler[logoutHandlers.size()]);
 		LogoutFilter result = new LogoutFilter(getLogoutSuccessHandler(), handlers);

config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java

@@ -42,6 +42,7 @@
 import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
 import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
 import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy;
+import org.springframework.security.web.authentication.logout.LogoutHandler;
 import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
 import org.springframework.security.web.context.NullSecurityContextRepository;
 import org.springframework.security.web.context.SecurityContextRepository;
@@ -54,6 +55,7 @@
 import org.springframework.security.web.session.SimpleRedirectInvalidSessionStrategy;
 import org.springframework.security.web.session.SimpleRedirectSessionInformationExpiredStrategy;
 import org.springframework.util.Assert;
+import org.springframework.util.CollectionUtils;
 
 /**
  * Allows configuring session management.
@@ -88,6 +90,7 @@
  * </ul>
  *
  * @author Rob Winch
+ * @author Kazuki Shimizu
  * @since 3.2
  * @see SessionManagementFilter
  * @see ConcurrentSessionFilter
@@ -471,7 +474,6 @@ public void configure(H http) throws Exception {
 		http.addFilter(sessionManagementFilter);
 		if (isConcurrentSessionControlEnabled()) {
 			ConcurrentSessionFilter concurrentSessionFilter = createConccurencyFilter(http);
-
 			concurrentSessionFilter = postProcess(concurrentSessionFilter);
 			http.addFilter(concurrentSessionFilter);
 		}
@@ -480,11 +482,20 @@ public void configure(H http) throws Exception {
 	private ConcurrentSessionFilter createConccurencyFilter(H http) {
 		SessionInformationExpiredStrategy expireStrategy = getExpiredSessionStrategy();
 		SessionRegistry sessionRegistry = getSessionRegistry(http);
+		ConcurrentSessionFilter concurrentSessionFilter;
 		if(expireStrategy == null) {
-			return new ConcurrentSessionFilter(sessionRegistry);
-		}
-
-		return new ConcurrentSessionFilter(sessionRegistry, expireStrategy);
+			concurrentSessionFilter = new ConcurrentSessionFilter(sessionRegistry);
+		} else {
+			concurrentSessionFilter = new ConcurrentSessionFilter(sessionRegistry, expireStrategy);
+		}
+		@SuppressWarnings("unchecked")
+		LogoutConfigurer<H> logoutConf = http.getConfigurer(LogoutConfigurer.class);
+		List<LogoutHandler> logoutHandlers = logoutConf == null ? null : logoutConf
+				.getLogoutHandlers();
+		if (!CollectionUtils.isEmpty(logoutHandlers)) {
+			concurrentSessionFilter.setLogoutHandlers(logoutHandlers);
+		}
+		return concurrentSessionFilter;
 	}
 
 	/**

config/src/main/java/org/springframework/security/config/http/LogoutBeanDefinitionParser.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2012 the original author or authors.
+ * Copyright 2002-2016 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -25,13 +25,15 @@
 import org.springframework.beans.factory.xml.ParserContext;
 import org.springframework.security.web.authentication.logout.CookieClearingLogoutHandler;
 import org.springframework.security.web.authentication.logout.LogoutFilter;
+import org.springframework.security.web.authentication.logout.LogoutSuccessEventPublishingLogoutHandler;
 import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
 import org.springframework.util.StringUtils;
 import org.w3c.dom.Element;
 
 /**
  * @author Luke Taylor
  * @author Ben Alex
+ * @author Kazuki Shimizu
  */
 class LogoutBeanDefinitionParser implements BeanDefinitionParser {
 	static final String ATT_LOGOUT_SUCCESS_URL = "logout-success-url";
@@ -120,6 +122,8 @@ public BeanDefinition parse(Element element, ParserContext pc) {
 			logoutHandlers.add(cookieDeleter);
 		}
 
+		logoutHandlers.add(new RootBeanDefinition(LogoutSuccessEventPublishingLogoutHandler.class));
+
 		builder.addConstructorArgValue(logoutHandlers);
 
 		return builder.getBeanDefinition();

config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/LogoutConfigurerTests.groovy

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2013 the original author or authors.
+ * Copyright 2002-2016 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -23,12 +23,16 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
 import org.springframework.security.web.authentication.RememberMeServices
 import org.springframework.security.web.authentication.logout.LogoutFilter
+import org.springframework.security.web.authentication.logout.LogoutSuccessEventPublishingLogoutHandler
 import org.springframework.security.web.authentication.logout.LogoutSuccessHandler
+import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler
+import org.springframework.security.web.csrf.CsrfLogoutHandler
 import org.springframework.security.web.util.matcher.RequestMatcher
 
 /**
  *
  * @author Rob Winch
+ * @author Kazuki Shimizu
  */
 class LogoutConfigurerTests extends BaseSpringSpec {
 
@@ -251,4 +255,21 @@ class LogoutConfigurerTests extends BaseSpringSpec {
 	@EnableWebSecurity
 	static class LogoutXMLHttpRequestConfig extends WebSecurityConfigurerAdapter {
 	}
+
+	def "LogoutConfigurer logout handler by default configuration"() {
+		when:
+			loadConfig(DefaultWebSecurityConfig)
+		then:
+			def logoutFilter = findFilter(LogoutFilter)
+			logoutFilter.handler.logoutHandlers.size() == 3
+			logoutFilter.handler.logoutHandlers[0].class == CsrfLogoutHandler
+			logoutFilter.handler.logoutHandlers[1].class == SecurityContextLogoutHandler
+			logoutFilter.handler.logoutHandlers[2].class == LogoutSuccessEventPublishingLogoutHandler
+			logoutFilter.handler.logoutHandlers[2].applicationEventPublisher != null
+
+	}
+	@EnableWebSecurity
+	static class DefaultWebSecurityConfig extends WebSecurityConfigurerAdapter {
+	}
+
 }

config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/ServletApiConfigurerTests.groovy

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2013 the original author or authors.
+ * Copyright 2002-2016 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,7 @@
 package org.springframework.security.config.annotation.web.configurers
 
 import groovy.transform.CompileStatic
+import org.springframework.security.web.authentication.logout.LogoutSuccessEventPublishingLogoutHandler
 
 import javax.servlet.ServletException
 import javax.servlet.ServletRequest
@@ -43,6 +44,7 @@ import org.springframework.security.web.servletapi.SecurityContextHolderAwareReq
 /**
  *
  * @author Rob Winch
+ * @author Kazuki Shimizu
  */
 class ServletApiConfigurerTests extends BaseSpringSpec {
 
@@ -71,7 +73,7 @@ class ServletApiConfigurerTests extends BaseSpringSpec {
 		and: "requestFactory != null"
 			filter.requestFactory != null
 		and: "logoutHandlers populated"
-			filter.logoutHandlers.collect { it.class } == [CsrfLogoutHandler, SecurityContextLogoutHandler]
+			filter.logoutHandlers.collect { it.class } == [CsrfLogoutHandler, SecurityContextLogoutHandler, LogoutSuccessEventPublishingLogoutHandler]
 	}
 
 

config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.groovy

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2013 the original author or authors.
+ * Copyright 2002-2016 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,11 +15,13 @@
  */
 package org.springframework.security.config.annotation.web.configurers
 
+import org.springframework.security.web.authentication.logout.LogoutSuccessEventPublishingLogoutHandler
+import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler
+import org.springframework.security.web.csrf.CsrfLogoutHandler
+
 import javax.servlet.http.HttpServletResponse
 
 import org.springframework.mock.web.MockFilterChain
-import org.springframework.mock.web.MockHttpServletRequest
-import org.springframework.mock.web.MockHttpServletResponse
 import org.springframework.security.authentication.AuthenticationTrustResolver
 import org.springframework.security.config.annotation.AnyObjectPostProcessor
 import org.springframework.security.config.annotation.BaseSpringSpec
@@ -44,6 +46,7 @@ import org.springframework.security.web.session.SessionManagementFilter
 /**
  *
  * @author Rob Winch
+ * @author Kazuki Shimizu
  */
 class SessionManagementConfigurerTests extends BaseSpringSpec {
 
@@ -250,4 +253,26 @@ class SessionManagementConfigurerTests extends BaseSpringSpec {
 				.setSharedObject(AuthenticationTrustResolver, TR)
 		}
 	}
+
+	def "logout handler by default configuration"() {
+		when:
+		loadConfig(ConcurrencyWebSecurityConfig)
+		then:
+		def concurrentSessionFilter = findFilter(ConcurrentSessionFilter)
+		concurrentSessionFilter.handlers.logoutHandlers.size() == 3
+		concurrentSessionFilter.handlers.logoutHandlers[0].class == CsrfLogoutHandler
+		concurrentSessionFilter.handlers.logoutHandlers[1].class == SecurityContextLogoutHandler
+		concurrentSessionFilter.handlers.logoutHandlers[2].class == LogoutSuccessEventPublishingLogoutHandler
+		concurrentSessionFilter.handlers.logoutHandlers[2].applicationEventPublisher != null
+	}
+
+	@EnableWebSecurity
+	static class ConcurrencyWebSecurityConfig extends WebSecurityConfigurerAdapter {
+		@Override
+		protected void configure(HttpSecurity http) throws Exception {
+			super.configure(http)
+			http.sessionManagement().maximumSessions(1)
+		}
+	}
+
 }

config/src/test/groovy/org/springframework/security/config/http/RememberMeConfigTests.groovy

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2015 the original author or authors.
+ * Copyright 2002-2016 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,6 +15,8 @@
  */
 package org.springframework.security.config.http
 
+import org.springframework.security.web.authentication.logout.LogoutSuccessEventPublishingLogoutHandler
+
 import static org.springframework.security.config.ConfigTestUtils.AUTH_PROVIDER_XML
 
 import javax.sql.DataSource
@@ -42,6 +44,7 @@ import org.springframework.security.web.authentication.rememberme.TokenBasedReme
  * @author Luke Taylor
  * @author Rob Winch
  * @author Oliver Becker
+ * @author Kazuki Shimizu
  */
 class RememberMeConfigTests extends AbstractHttpConfigTests {
 
@@ -110,8 +113,11 @@ class RememberMeConfigTests extends AbstractHttpConfigTests {
 		rmp != null
 		5000 == FieldUtils.getFieldValue(rememberMeServices(), "tokenValiditySeconds")
 		// SEC-909
-		logoutHandlers.size() == 2
+		logoutHandlers.size() == 3
+		logoutHandlers.get(0) instanceof SecurityContextLogoutHandler
 		logoutHandlers.get(1) == rememberMeServices()
+		logoutHandlers.get(2) instanceof LogoutSuccessEventPublishingLogoutHandler
+		logoutHandlers.get(2).applicationEventPublisher != null
 		// SEC-1281
 		rmp.key == "ourkey"
 	}
@@ -128,9 +134,11 @@ class RememberMeConfigTests extends AbstractHttpConfigTests {
 
 		expect:
 		rememberMeServices
-		logoutHandlers.size() == 2
+		logoutHandlers.size() == 3
 		logoutHandlers.get(0) instanceof SecurityContextLogoutHandler
 		logoutHandlers.get(1) == rememberMeServices
+		logoutHandlers.get(2) instanceof LogoutSuccessEventPublishingLogoutHandler
+		logoutHandlers.get(2).applicationEventPublisher != null
 	}
 
 	def rememberMeTokenValidityIsParsedCorrectly() {

config/src/test/groovy/org/springframework/security/config/http/SecurityContextHolderAwareRequestConfigTests.groovy

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2012 the original author or authors.
+ * Copyright 2002-2016 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,15 +15,13 @@
  */
 package org.springframework.security.config.http
 
-import static org.springframework.security.config.ConfigTestUtils.AUTH_PROVIDER_XML
+import org.springframework.security.web.authentication.logout.LogoutSuccessEventPublishingLogoutHandler
 
-import java.io.IOException;
+import static org.springframework.security.config.ConfigTestUtils.AUTH_PROVIDER_XML
 
 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest
-import javax.servlet.http.HttpServletResponse
 
 import org.springframework.mock.web.MockFilterChain
 import org.springframework.mock.web.MockHttpServletRequest
@@ -43,6 +41,7 @@ import org.springframework.security.web.servletapi.SecurityContextHolderAwareReq
 /**
  *
  * @author Rob Winch
+ * @author Kazuki Shimizu
  */
 class SecurityContextHolderAwareRequestConfigTests extends AbstractHttpConfigTests {
 
@@ -57,8 +56,10 @@ class SecurityContextHolderAwareRequestConfigTests extends AbstractHttpConfigTes
 		expect:
 		securityContextAwareFilter.authenticationEntryPoint.loginFormUrl == getFilter(ExceptionTranslationFilter).authenticationEntryPoint.loginFormUrl
 		securityContextAwareFilter.authenticationManager == getFilter(UsernamePasswordAuthenticationFilter).authenticationManager
-		securityContextAwareFilter.logoutHandlers.size() == 1
+		securityContextAwareFilter.logoutHandlers.size() == 2
 		securityContextAwareFilter.logoutHandlers[0].class == SecurityContextLogoutHandler
+		securityContextAwareFilter.logoutHandlers[1].class == LogoutSuccessEventPublishingLogoutHandler
+		securityContextAwareFilter.logoutHandlers[1].applicationEventPublisher != null
 	}
 
 	def explicitEntryPoint() {
@@ -112,16 +113,20 @@ class SecurityContextHolderAwareRequestConfigTests extends AbstractHttpConfigTes
 		securityContextAwareFilter.authenticationEntryPoint.loginFormUrl == '/login'
 		securityContextAwareFilter.authenticationManager == getFilters('/first/filters').find { it instanceof UsernamePasswordAuthenticationFilter}.authenticationManager
 		securityContextAwareFilter.authenticationManager.parent == appContext.getBean('authManager')
-		securityContextAwareFilter.logoutHandlers.size() == 1
+		securityContextAwareFilter.logoutHandlers.size() == 2
 		securityContextAwareFilter.logoutHandlers[0].class == SecurityContextLogoutHandler
 		securityContextAwareFilter.logoutHandlers[0].invalidateHttpSession == true
+		securityContextAwareFilter.logoutHandlers[1].class == LogoutSuccessEventPublishingLogoutHandler
+		securityContextAwareFilter.logoutHandlers[1].applicationEventPublisher != null
 
 		secondSecurityContextAwareFilter.authenticationEntryPoint.loginFormUrl == '/login2'
 		secondSecurityContextAwareFilter.authenticationManager == getFilter(UsernamePasswordAuthenticationFilter).authenticationManager
 		secondSecurityContextAwareFilter.authenticationManager.parent == appContext.getBean('authManager2')
-		securityContextAwareFilter.logoutHandlers.size() == 1
+		secondSecurityContextAwareFilter.logoutHandlers.size() == 2
 		secondSecurityContextAwareFilter.logoutHandlers[0].class == SecurityContextLogoutHandler
 		secondSecurityContextAwareFilter.logoutHandlers[0].invalidateHttpSession == false
+		secondSecurityContextAwareFilter.logoutHandlers[1].class == LogoutSuccessEventPublishingLogoutHandler
+		secondSecurityContextAwareFilter.logoutHandlers[1].applicationEventPublisher != null
 	}
 
 	def logoutCustom() {
@@ -137,11 +142,13 @@ class SecurityContextHolderAwareRequestConfigTests extends AbstractHttpConfigTes
 		expect:
 		securityContextAwareFilter.authenticationEntryPoint.loginFormUrl == getFilter(ExceptionTranslationFilter).authenticationEntryPoint.loginFormUrl
 		securityContextAwareFilter.authenticationManager == getFilter(UsernamePasswordAuthenticationFilter).authenticationManager
-		securityContextAwareFilter.logoutHandlers.size() == 2
+		securityContextAwareFilter.logoutHandlers.size() == 3
 		securityContextAwareFilter.logoutHandlers[0].class == SecurityContextLogoutHandler
 		securityContextAwareFilter.logoutHandlers[0].invalidateHttpSession == false
 		securityContextAwareFilter.logoutHandlers[1].class == CookieClearingLogoutHandler
 		securityContextAwareFilter.logoutHandlers[1].cookiesToClear == ['JSESSIONID']
+		securityContextAwareFilter.logoutHandlers[2].class == LogoutSuccessEventPublishingLogoutHandler
+		securityContextAwareFilter.logoutHandlers[2].applicationEventPublisher != null
 	}
 
 	def 'SEC-2926: Role Prefix is set'() {