Skip to content

Allow multiple ServerLogoutHandler instances in WebFlux #17381

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Allow multiple ServerLogoutHandler instances in WebFlux #17381

wants to merge 1 commit into from
+10 −4

Conversation

blake-bauman
Copy link

@blake-bauman blake-bauman commented Jun 27, 2025
edited
Loading

Spring Security for Spring MVC allows for specifying multiple LogoutHandler implementations which get wrapped in a DelegatingLogoutHandler. Spring Security for WebFlux currently only allows a single ServerLogoutHandler implementation.

This PR puts both Spring MVC and Spring WebFlux on equal functionality when it comes to logout handlers.

@blake-bauman
feat: Make addLogoutHandler() public in Webflux to allow for multi lo…
8fea725 
…gout handlers like with Servlet.

Signed-off-by: Blake Bauman <[email protected]>
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jun 27, 2025
jzheaux
jzheaux requested changes Jul 23, 2025
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @blake-bauman, for the PR! In addition to my inline feedback, will you please add some tests to confirm that the new functionality works?

config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
* @param logoutHandler
* @return the {@link LogoutSpec} to configure
*/
public LogoutSpec addLogoutHandler(ServerLogoutHandler logoutHandler) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of exposing addLogoutHandler, would logout(Consumer<List<ServerLogoutHandler>> consumer) also service your needs? The reason this is nice it because it also allows you to remove values. Please see OneTimeTokenLogoutSpec#authenticationSuccessHandler for an example.

config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
/**
* Adds a logout handler in the last position.
* @param logoutHandler
* @return the {@link LogoutSpec} to configure
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will you please add @since 7.0

@jzheaux
Copy link
Contributor

jzheaux commented Jul 23, 2025

@blake-bauman, please also make sure to sign your commit and keep the commit title to about 50 characters, for example:

Support Multiple ServerLogoutHandlers

This commit adds support to ServerHttpSecurity for registering
multiple ServerLogoutHandlers. This is handy so that an application
does not need to re-supply any handlers already configured by
the DSL

@blake-bauman
Copy link
Author

I'm a little confused because I did sign it using the -s

Screenshot 2025-07-23 at 4 58 43 PM

@blake-bauman
Copy link
Author

I didn't see any existing tests for the Logout handler. Could you point to where they might be so that I can add on?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jzheaux jzheaux jzheaux requested changes

Assignees
No one assigned
Labels
status: waiting-for-triage An issue we've not yet triaged
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@blake-bauman @jzheaux @spring-projects-issues