Support Multiple ServerLogoutHandlers

This commit adds support to ServerHttpSecurity for registering
multiple ServerLogoutHandlers. This is handy so that an application
does not need to re-supply any handlers already configured by
the DSL.

Signed-off-by: blake_bauman <blake_bauman@apple.com>

Author: blake-bauman

config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java

@@ -3026,7 +3026,7 @@ public final class LogoutSpec {
 
 		private final SecurityContextServerLogoutHandler DEFAULT_LOGOUT_HANDLER = new SecurityContextServerLogoutHandler();
 
-		private List<ServerLogoutHandler> logoutHandlers = new ArrayList<>();
+		private List<ServerLogoutHandler> logoutHandlers = new ArrayList<>(Arrays.asList(this.DEFAULT_LOGOUT_HANDLER));
 
 		private LogoutSpec() {
 		}
@@ -3044,14 +3044,21 @@ public LogoutSpec logoutHandler(ServerLogoutHandler logoutHandler) {
 			return addLogoutHandler(logoutHandler);
 		}
 
+		private LogoutSpec addLogoutHandler(ServerLogoutHandler logoutHandler) {
+			Assert.notNull(logoutHandler, "logoutHandler cannot be null");
+			this.logoutHandlers.add(logoutHandler);
+			return this;
+		}
+
 		/**
-		 * Adds a logout handler in the last position.
-		 * @param logoutHandler
+		 * Allows managing the list of {@link ServerLogoutHandler} instances.
+		 * @param handlersConsumer {@link Consumer} for managing the list of handlers.
 		 * @return the {@link LogoutSpec} to configure
+		 * @since 7.0
 		 */
-		public LogoutSpec addLogoutHandler(ServerLogoutHandler logoutHandler) {
-			Assert.notNull(logoutHandler, "logoutHandler cannot be null");
-			this.logoutHandlers.add(logoutHandler);
+		public LogoutSpec logoutHandler(Consumer<List<ServerLogoutHandler>> handlersConsumer) {
+			Assert.notNull(handlersConsumer, "consumer cannot be null");
+			handlersConsumer.accept(this.logoutHandlers);
 			return this;
 		}
 
@@ -3098,7 +3105,7 @@ private ServerLogoutHandler createLogoutHandler() {
 				this.DEFAULT_LOGOUT_HANDLER.setSecurityContextRepository(securityContextRepository);
 			}
 			if (this.logoutHandlers.isEmpty()) {
-				return DEFAULT_LOGOUT_HANDLER;
+				return this.DEFAULT_LOGOUT_HANDLER;
 			}
 			if (this.logoutHandlers.size() == 1) {
 				return this.logoutHandlers.get(0);

config/src/test/java/org/springframework/security/config/web/server/LogoutSpecTests.java

@@ -16,18 +16,27 @@
 
 package org.springframework.security.config.web.server;
 
+import org.jspecify.annotations.Nullable;
 import org.junit.jupiter.api.Test;
 import org.openqa.selenium.WebDriver;
+import reactor.core.publisher.Mono;
 
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.config.annotation.web.reactive.ServerHttpSecurityConfigurationBuilder;
+import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.htmlunit.server.WebTestClientHtmlUnitDriverBuilder;
 import org.springframework.security.test.web.reactive.server.WebTestClientBuilder;
 import org.springframework.security.web.server.SecurityWebFilterChain;
+import org.springframework.security.web.server.authentication.logout.ServerLogoutHandler;
+import org.springframework.security.web.server.context.ServerSecurityContextRepository;
 import org.springframework.security.web.server.context.WebSessionServerSecurityContextRepository;
 import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers;
 import org.springframework.test.web.reactive.server.WebTestClient;
+import org.springframework.util.LinkedMultiValueMap;
+import org.springframework.util.MultiValueMap;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.server.ServerWebExchange;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.springframework.security.config.Customizer.withDefaults;
@@ -210,6 +219,84 @@ public void logoutWhenCustomSecurityContextRepositoryThenLogsOut() {
 		FormLoginTests.HomePage.to(driver, FormLoginTests.DefaultLoginPage.class).assertAt();
 	}
 
+	@Test
+	public void multipleLogoutHandlers() {
+		InMemorySecurityContextRepository repository = new InMemorySecurityContextRepository();
+		MultiValueMap<String, String> logoutData = new LinkedMultiValueMap<>();
+		ServerLogoutHandler handler1 = (exchange, authentication) -> {
+			logoutData.add("handler-header", "value1");
+			return Mono.empty();
+		};
+		ServerLogoutHandler handler2 = (exchange, authentication) -> {
+			logoutData.add("handler-header", "value2");
+			return Mono.empty();
+		};
+		// @formatter:off
+		SecurityWebFilterChain securityWebFilter = this.http
+				.securityContextRepository(repository)
+				.authorizeExchange((authorize) -> authorize
+						.anyExchange().authenticated())
+				.formLogin(withDefaults())
+				.logout((logoutSpec) -> logoutSpec.logoutHandler((handlers) -> {
+					handlers.add(handler1);
+					handlers.add(0, handler2);
+				}))
+				.build();
+		WebTestClient webTestClient = WebTestClientBuilder
+				.bindToWebFilters(securityWebFilter)
+				.build();
+		WebDriver driver = WebTestClientHtmlUnitDriverBuilder
+				.webTestClientSetup(webTestClient)
+				.build();
+		// @formatter:on
+		FormLoginTests.DefaultLoginPage loginPage = FormLoginTests.HomePage
+			.to(driver, FormLoginTests.DefaultLoginPage.class)
+			.assertAt();
+		// @formatter:off
+		loginPage = loginPage.loginForm()
+							.username("user")
+							.password("invalid")
+							.submit(FormLoginTests.DefaultLoginPage.class)
+							.assertError();
+		FormLoginTests.HomePage homePage = loginPage.loginForm()
+													.username("user")
+													.password("password")
+													.submit(FormLoginTests.HomePage.class);
+		// @formatter:on
+		homePage.assertAt();
+		SecurityContext savedContext = repository.getSavedContext();
+		assertThat(savedContext).isNotNull();
+		assertThat(savedContext.getAuthentication()).isInstanceOf(UsernamePasswordAuthenticationToken.class);
+
+		loginPage = FormLoginTests.DefaultLogoutPage.to(driver).assertAt().logout();
+		loginPage.assertAt().assertLogout();
+		assertThat(logoutData).hasSize(1);
+		assertThat(logoutData.get("handler-header")).containsExactly("value2", "value1");
+		savedContext = repository.getSavedContext();
+		assertThat(savedContext).isNull();
+	}
+
+	private static class InMemorySecurityContextRepository implements ServerSecurityContextRepository {
+
+		@Nullable private SecurityContext savedContext;
+
+		@Override
+		public Mono<Void> save(ServerWebExchange exchange, SecurityContext context) {
+			this.savedContext = context;
+			return Mono.empty();
+		}
+
+		@Override
+		public Mono<SecurityContext> load(ServerWebExchange exchange) {
+			return Mono.justOrEmpty(this.savedContext);
+		}
+
+		@Nullable private SecurityContext getSavedContext() {
+			return this.savedContext;
+		}
+
+	}
+
 	@RestController
 	public static class HomeController {