From 94a3adb92816712c30c1c18c2049df4ebab9cae0 Mon Sep 17 00:00:00 2001
From: Eleftheria Stein <estein@vmware.com>
Date: Thu, 24 Jun 2021 10:12:26 +0200
Subject: [PATCH] Apply DefaultLoginPageConfigurer before logout

If they are not applied in this order, then the LogoutConfigurer cannot
set the logoutSuccessUrl, because the DefaultLoginPageGeneratingFilter
does not exist yet.
This impacts users that inject the default HttpSecurity bean.

Closes gh-9973
---
 .../web/configuration/HttpSecurityConfiguration.java |  2 +-
 .../HttpSecurityConfigurationTests.java              | 12 ++++++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfiguration.java b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfiguration.java
index 3ada3f762e..2aad5f658a 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfiguration.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfiguration.java
@@ -94,8 +94,8 @@ class HttpSecurityConfiguration {
 			.requestCache(withDefaults())
 			.anonymous(withDefaults())
 			.servletApi(withDefaults())
-			.logout(withDefaults())
 			.apply(new DefaultLoginPageConfigurer<>());
+		http.logout(withDefaults());
 		// @formatter:on
 		return http;
 	}
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfigurationTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfigurationTests.java
index 56a0909c47..7d1186c8a0 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfigurationTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfigurationTests.java
@@ -187,6 +187,18 @@ public class HttpSecurityConfigurationTests {
 		this.mockMvc.perform(get("/login")).andExpect(status().isOk());
 	}
 
+	@Test
+	public void loginWhenUsingDefaultsThenDefaultLoginFailurePageGenerated() throws Exception {
+		this.spring.register(SecurityEnabledConfig.class).autowire();
+		this.mockMvc.perform(get("/login?error")).andExpect(status().isOk());
+	}
+
+	@Test
+	public void loginWhenUsingDefaultsThenDefaultLogoutSuccessPageGenerated() throws Exception {
+		this.spring.register(SecurityEnabledConfig.class).autowire();
+		this.mockMvc.perform(get("/login?logout")).andExpect(status().isOk());
+	}
+
 	@RestController
 	static class NameController {