5 年之前 · b7cb93f671
--- a/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
+++ b/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
@@ -2765,7 +2765,9 @@ public class ServerHttpSecurity {
 
				 		protected void configure(ServerHttpSecurity http) {
			
 
				 			if (this.csrfTokenRepository != null) {
			
 
				 				this.filter.setCsrfTokenRepository(this.csrfTokenRepository);
			
 
				-				http.logout().addLogoutHandler(new CsrfServerLogoutHandler(this.csrfTokenRepository));
			
 
				+				if (ServerHttpSecurity.this.logout != null) {
			
 
				+					ServerHttpSecurity.this.logout.addLogoutHandler(new CsrfServerLogoutHandler(this.csrfTokenRepository));
			
 
				+				}
			
 
				 			}
			
 
				 			http.addFilterAt(this.filter, SecurityWebFiltersOrder.CSRF);
			
 
				 		}
			
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurerTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurerTests.java
@@ -458,4 +458,25 @@ public class LogoutConfigurerTests {
 
				 	@EnableWebSecurity
			
 
				 	static class BasicSecurityConfig extends WebSecurityConfigurerAdapter {
			
 
				 	}
			
 
				+
			
 
				+	@Test
			
 
				+	public void logoutWhenDisabledThenLogoutUrlNotFound() throws Exception {
			
 
				+		this.spring.register(LogoutDisabledConfig.class).autowire();
			
 
				+
			
 
				+		this.mvc.perform(post("/logout")
			
 
				+				.with(csrf()))
			
 
				+				.andExpect(status().isNotFound());
			
 
				+	}
			
 
				+
			
 
				+	@EnableWebSecurity
			
 
				+	static class LogoutDisabledConfig extends WebSecurityConfigurerAdapter {
			
 
				+		@Override
			
 
				+		protected void configure(HttpSecurity http) throws Exception {
			
 
				+			// @formatter:off
			
 
				+			http
			
 
				+				.logout()
			
 
				+					.disable();
			
 
				+			// @formatter:on
			
 
				+		}
			
 
				+	}
			
 
				 }
			
--- a/config/src/test/java/org/springframework/security/config/web/server/LogoutSpecTests.java
+++ b/config/src/test/java/org/springframework/security/config/web/server/LogoutSpecTests.java
@@ -164,4 +164,40 @@ public class LogoutSpecTests {
 
				 			.assertAt()
			
 
				 			.assertLogout();
			
 
				 	}
			
 
				+
			
 
				+	@Test
			
 
				+	public void logoutWhenDisabledThenPostToLogoutDoesNothing() {
			
 
				+		SecurityWebFilterChain securityWebFilter = this.http
			
 
				+				.authorizeExchange()
			
 
				+				.anyExchange().authenticated()
			
 
				+				.and()
			
 
				+				.formLogin().and()
			
 
				+				.logout().disable()
			
 
				+				.build();
			
 
				+
			
 
				+		WebTestClient webTestClient = WebTestClientBuilder
			
 
				+				.bindToWebFilters(securityWebFilter)
			
 
				+				.build();
			
 
				+
			
 
				+		WebDriver driver = WebTestClientHtmlUnitDriverBuilder
			
 
				+				.webTestClientSetup(webTestClient)
			
 
				+				.build();
			
 
				+
			
 
				+		FormLoginTests.DefaultLoginPage loginPage = FormLoginTests.HomePage.to(driver, FormLoginTests.DefaultLoginPage.class)
			
 
				+				.assertAt();
			
 
				+
			
 
				+		FormLoginTests.HomePage homePage = loginPage.loginForm()
			
 
				+				.username("user")
			
 
				+				.password("password")
			
 
				+				.submit(FormLoginTests.HomePage.class);
			
 
				+
			
 
				+		homePage.assertAt();
			
 
				+
			
 
				+		FormLoginTests.DefaultLogoutPage.to(driver)
			
 
				+				.assertAt()
			
 
				+				.logout();
			
 
				+
			
 
				+		homePage
			
 
				+				.assertAt();
			
 
				+	}
			
 
				 }