From 8fea725b8c527233224b71bb5d01e3329f1feb41 Mon Sep 17 00:00:00 2001
From: blake_bauman <blake_bauman@apple.com>
Date: Fri, 27 Jun 2025 01:44:21 -0700
Subject: [PATCH] feat: Make addLogoutHandler() public in Webflux to allow for
 multi logout handlers like with Servlet.

Signed-off-by: Blake Bauman <blake_bauman@apple.com>
---
 .../config/web/server/ServerHttpSecurity.java      | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java b/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
index a46e7841b3..cfe2ebe869 100644
--- a/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
+++ b/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
@@ -3022,14 +3022,15 @@ public class ServerHttpSecurity {
 
 		private final SecurityContextServerLogoutHandler DEFAULT_LOGOUT_HANDLER = new SecurityContextServerLogoutHandler();
 
-		private List<ServerLogoutHandler> logoutHandlers = new ArrayList<>(Arrays.asList(this.DEFAULT_LOGOUT_HANDLER));
+		private List<ServerLogoutHandler> logoutHandlers = new ArrayList<>();
 
 		private LogoutSpec() {
 		}
 
 		/**
 		 * Configures the logout handler. Default is
-		 * {@code SecurityContextServerLogoutHandler}
+		 * {@code SecurityContextServerLogoutHandler}. This clears any previous handlers
+		 * configured.
 		 * @param logoutHandler
 		 * @return the {@link LogoutSpec} to configure
 		 */
@@ -3039,7 +3040,12 @@ public class ServerHttpSecurity {
 			return addLogoutHandler(logoutHandler);
 		}
 
-		private LogoutSpec addLogoutHandler(ServerLogoutHandler logoutHandler) {
+		/**
+		 * Adds a logout handler in the last position.
+		 * @param logoutHandler
+		 * @return the {@link LogoutSpec} to configure
+		 */
+		public LogoutSpec addLogoutHandler(ServerLogoutHandler logoutHandler) {
 			Assert.notNull(logoutHandler, "logoutHandler cannot be null");
 			this.logoutHandlers.add(logoutHandler);
 			return this;
@@ -3088,7 +3094,7 @@ public class ServerHttpSecurity {
 				this.DEFAULT_LOGOUT_HANDLER.setSecurityContextRepository(securityContextRepository);
 			}
 			if (this.logoutHandlers.isEmpty()) {
-				return null;
+				return DEFAULT_LOGOUT_HANDLER;
 			}
 			if (this.logoutHandlers.size() == 1) {
 				return this.logoutHandlers.get(0);