Skip to content

Global ServerSecurityContextRepository ignored by logout #8375

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
EtienneMiret opened this issue Apr 11, 2020 · 5 comments
Closed

Global ServerSecurityContextRepository ignored by logout #8375

EtienneMiret opened this issue Apr 11, 2020 · 5 comments
Assignees
@rwinch
Labels
in: config An issue in spring-security-config status: backported An issue that has been backported to maintenance branches type: bug A general bug
Milestone
5.4.0-M1

Comments

@EtienneMiret
Copy link

Summary

When configuring a global ServerSecurityContextRepository on the SecurityWebFilterChain, it is used by all authentication mechanisms (since #7249) but not by the logout handler.

Actual Behavior

When configuring a custom ServerSecurityContextRepository, the SecurityContextServerLogoutHandler still uses the default WebSessionServerSecurityContextRepository.

Expected Behavior

I’d expect that the ServerHttpSecurity.securityContextRepository () method sets the ServerSecurityContextRepository everywhere.

Configuration

@Configuration
@EnableWebFluxSecurity
@EnableWebFlux
public class Main extends AbstractReactiveWebInitializer {

  @Bean
  public SecurityWebFilterChain springSecurityFilterChain (ServerHttpSecurity http) {
    return http
        .securityContextRepository (securityContextRepository ())
        .formLogin ()
            .and ()
        .logout ()
            .logoutUrl ("/logout")
            .and ()
        .build ();
  }

  @Bean
  public ServerSecurityContextRepository securityContextRepository () {
    return new CustomSecurityContextRepository ();
  }

  @Bean
  public ReactiveUserDetailsService userDetailsService () {
    var user = User.withDefaultPasswordEncoder ()
        .username ("user")
        .password ("user")
        .roles ("USER")
        .build ();
    return new MapReactiveUserDetailsService (user);
  }

  @Override
  protected Class<?>[] getConfigClasses () {
    return new Class<?>[] { Main.class };
  }

}

Version

  • Spring Security : 5.3.0.RELEASE
  • Spring Framework : 5.2.5.RELEASE

Sample

https://github.com/EtienneMiret/spring-security-logout
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Apr 11, 2020
@rwinch rwinch self-assigned this Apr 13, 2020
@rwinch
Copy link
Member

rwinch commented Apr 13, 2020

Thanks for the report. I have confirmed this is an issue. I will push a fix out. In the meantime, you can work around it by explicitly providing a logout handler. So changing your example to be something like this would work:

@Bean
public SecurityWebFilterChain springSecurityFilterChain (ServerHttpSecurity http, ServerSecurityContextRepository repository) {
  SecurityContextServerLogoutHandler handler = new SecurityContextServerLogoutHandler();
  handler.setSecurityContextRepository(repository);
  return http
      .securityContextRepository (repository)
      .formLogin ()
          .and ()
      .logout ()
          .logoutHandler(handler)
          .logoutUrl ("/logout")
          .and ()
      .build ();
}

@Bean
public ServerSecurityContextRepository securityContextRepository () {
  return new CustomSecurityContextRepository ();
}

@rwinch rwinch added in: config An issue in spring-security-config type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged labels Apr 13, 2020
@rwinch rwinch added this to the 5.4.0.M1 milestone Apr 13, 2020
@rwinch rwinch closed this as completed in 9a42a02 Apr 13, 2020
rwinch added a commit that referenced this issue Apr 13, 2020
@rwinch
Logout defaults to use Global SecurityContextServerLogoutHandler
f6ddba8 
Closes gh-8375
@spring-projects-issues spring-projects-issues added the status: backported An issue that has been backported to maintenance branches label Apr 13, 2020
Closed
rwinch added a commit that referenced this issue Apr 13, 2020
@rwinch
Logout defaults to use Global SecurityContextServerLogoutHandler
7b34b22 
Closes gh-8375
Closed
rwinch added a commit that referenced this issue Apr 13, 2020
@rwinch
Logout defaults to use Global SecurityContextServerLogoutHandler
1b91259 
Closes gh-8375
Closed
@rwinch
Copy link
Member

rwinch commented Apr 14, 2020

Thanks again for the ticket. This is fixed in master and backported to 5.3.x 5.2.x and 5.1.x.

@EtienneMiret
Copy link
Author

You’re welcome. I’m glad it was indeed an issue, and not a misunderstanding on my side. I would’ve hated to waste your time.

@rwinch
Copy link
Member

rwinch commented Apr 14, 2020

No problem. Did the workaround work for you in the meantime?

@EtienneMiret
Copy link
Author

Yes! The workaround works fine. Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rwinch rwinch

Labels
in: config An issue in spring-security-config status: backported An issue that has been backported to maintenance branches type: bug A general bug
Projects
None yet
Milestone
5.4.0-M1
Development

No branches or pull requests
3 participants
@rwinch @EtienneMiret @spring-projects-issues