Logout defaults to use Global SecurityContextServerLogoutHandler

Closes gh-8375

Author: rwinch

config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java

@@ -2412,7 +2412,9 @@ private HeaderSpec() {
 	 */
 	public final class LogoutSpec {
 		private LogoutWebFilter logoutWebFilter = new LogoutWebFilter();
-		private List<ServerLogoutHandler> logoutHandlers = new ArrayList<>(Arrays.asList(new SecurityContextServerLogoutHandler()));
+		private final SecurityContextServerLogoutHandler DEFAULT_LOGOUT_HANDLER = new SecurityContextServerLogoutHandler();
+		private List<ServerLogoutHandler> logoutHandlers = new ArrayList<>(Arrays.asList(this.DEFAULT_LOGOUT_HANDLER));
+
 
 		/**
 		 * Configures the logout handler. Default is {@code SecurityContextServerLogoutHandler}
@@ -2476,6 +2478,10 @@ public ServerHttpSecurity disable() {
 		}
 
 		private Optional<ServerLogoutHandler> createLogoutHandler() {
+			ServerSecurityContextRepository securityContextRepository = ServerHttpSecurity.this.securityContextRepository;
+			if (securityContextRepository != null) {
+				this.DEFAULT_LOGOUT_HANDLER.setSecurityContextRepository(securityContextRepository);
+			}
 			if (this.logoutHandlers.isEmpty()) {
 				return Optional.empty();
 			}

config/src/test/java/org/springframework/security/config/web/server/LogoutSpecTests.java

@@ -21,6 +21,7 @@
 import org.springframework.security.config.annotation.web.reactive.ServerHttpSecurityConfigurationBuilder;
 import org.springframework.security.htmlunit.server.WebTestClientHtmlUnitDriverBuilder;
 import org.springframework.security.web.server.SecurityWebFilterChain;
+import org.springframework.security.web.server.context.WebSessionServerSecurityContextRepository;
 import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers;
 import org.springframework.test.web.reactive.server.WebTestClient;
 import org.springframework.security.test.web.reactive.server.WebTestClientBuilder;
@@ -117,4 +118,45 @@ public void customLogout() {
 			.assertAt()
 			.assertLogout();
 	}
+
+	@Test
+	public void logoutWhenCustomSecurityContextRepositoryThenLogsOut() {
+		WebSessionServerSecurityContextRepository repository = new WebSessionServerSecurityContextRepository();
+		repository.setSpringSecurityContextAttrName("CUSTOM_CONTEXT_ATTR");
+		SecurityWebFilterChain securityWebFilter = this.http
+						.securityContextRepository(repository)
+						.authorizeExchange()
+							.anyExchange().authenticated()
+							.and()
+						.formLogin()
+							.and()
+						.logout()
+							.and()
+						.build();
+
+				WebTestClient webTestClient = WebTestClientBuilder
+						.bindToWebFilters(securityWebFilter)
+						.build();
+
+				WebDriver driver = WebTestClientHtmlUnitDriverBuilder
+						.webTestClientSetup(webTestClient)
+						.build();
+
+				FormLoginTests.DefaultLoginPage loginPage = FormLoginTests.HomePage.to(driver, FormLoginTests.DefaultLoginPage.class)
+						.assertAt();
+
+				FormLoginTests.HomePage homePage = loginPage.loginForm()
+						.username("user")
+						.password("password")
+						.submit(FormLoginTests.HomePage.class);
+
+				homePage.assertAt();
+
+				FormLoginTests.DefaultLogoutPage.to(driver)
+						.assertAt()
+						.logout();
+
+				FormLoginTests.HomePage.to(driver, FormLoginTests.DefaultLoginPage.class)
+						.assertAt();
+	}
 }