SEC-2848: LogoutConfigurer allows setting clearAuthentication

config/src/main/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurer.java

@@ -23,6 +23,7 @@ import javax.servlet.http.HttpSession;
 import org.springframework.security.config.annotation.SecurityConfigurer;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.core.Authentication;
 import org.springframework.security.web.authentication.logout.CookieClearingLogoutHandler;
 import org.springframework.security.web.authentication.logout.LogoutFilter;
 import org.springframework.security.web.authentication.logout.LogoutHandler;
@@ -98,6 +99,16 @@ public final class LogoutConfigurer<H extends HttpSecurityBuilder<H>> extends Ab
         return this;
     }
 
+    /**
+     * Specifies if {@link SecurityContextLogoutHandler} should clear the {@link Authentication} at the time of logout.
+     * @param clearAuthentication true {@link SecurityContextLogoutHandler} should clear the {@link Authentication} (default), or false otherwise.
+     * @return the {@link LogoutConfigurer} for further customization
+     */
+    public LogoutConfigurer<H> clearAuthentication(boolean clearAuthentication) {
+        contextLogoutHandler.setClearAuthentication(clearAuthentication);
+        return this;
+    }
+
     /**
      * The URL that triggers log out to occur (default is "/logout"). If CSRF
      * protection is enabled (default), then the request must also be a POST.

config/src/test/java/org/springframework/security/config/annotation/web/configurers/HttpSecurityLogoutTests.java

@@ -0,0 +1,110 @@
+/*
+ * Copyright 2002-2015 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.config.annotation.web.configurers;
+
+import static org.fest.assertions.Assertions.assertThat;
+
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.mock.web.MockFilterChain;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.security.authentication.TestingAuthenticationToken;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.FilterChainProxy;
+import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
+import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
+
+/**
+ * @author Rob Winch
+ *
+ */
+public class HttpSecurityLogoutTests {
+    AnnotationConfigWebApplicationContext context;
+
+    MockHttpServletRequest request;
+    MockHttpServletResponse response;
+    MockFilterChain chain;
+
+    @Autowired
+    FilterChainProxy springSecurityFilterChain;
+
+    @Before
+    public void setup() {
+        request = new MockHttpServletRequest();
+        response = new MockHttpServletResponse();
+        chain = new MockFilterChain();
+    }
+
+    @After
+    public void cleanup() {
+        if(context != null) {
+            context.close();
+        }
+    }
+
+    // SEC-2848
+    @Test
+    public void clearAuthenticationFalse() throws Exception {
+        loadConfig(ClearAuthenticationFalseConfig.class);
+
+        SecurityContext currentContext = SecurityContextHolder.createEmptyContext();
+        currentContext.setAuthentication(new TestingAuthenticationToken("user", "password","ROLE_USER"));
+
+        request.getSession().setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, currentContext);
+        request.setMethod("POST");
+        request.setServletPath("/logout");
+
+        springSecurityFilterChain.doFilter(request, response, chain);
+
+        assertThat(currentContext.getAuthentication()).isNotNull();
+    }
+
+    @EnableWebSecurity
+    @Configuration
+    static class ClearAuthenticationFalseConfig extends WebSecurityConfigurerAdapter {
+        protected void configure(HttpSecurity http) throws Exception {
+            http
+                .csrf().disable()
+                .logout()
+                    .clearAuthentication(false);
+        }
+
+        @Override
+        protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+            auth
+                .inMemoryAuthentication();
+        }
+    }
+
+    public void loadConfig(Class<?>... configs) {
+        context = new AnnotationConfigWebApplicationContext();
+        context.register(configs);
+        context.refresh();
+
+        context.getAutowireCapableBeanFactory().autowireBean(this);
+    }
+
+
+}