Polish Session Logout Support

jzheaux · jzheaux · commit 4c245d931ee4 · 2024-09-03T18:10:18.000-06:00
Issue gh-13841
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcLogoutConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcLogoutConfigurer.java
@@ -227,11 +227,11 @@ public BackChannelLogoutConfigurer logoutUri(String logoutUri) {
 		 *
 		 * <p>
 		 * By default, the URI is set to
-		 * {@code {baseScheme}://localhost{basePort}/logout/connect/back-channel/{registrationId}},
-		 * which is simply an internal version of the same endpoint exposed to your
-		 * Back-Channel services. You can use {@link SessionLogoutConfigurer#logoutUri} to
-		 * alter the scheme, server name, or port in the {@code Host} header to
-		 * accommodate how your application would address itself internally.
+		 * {@code {baseUrl}/logout/connect/back-channel/{registrationId}}, which is simply
+		 * an internal version of the same endpoint exposed to your Back-Channel services.
+		 * You can use {@link SessionLogoutConfigurer#logoutUri} to alter the scheme,
+		 * server name, or port in the {@code Host} header to accommodate how your
+		 * application would address itself internally.
 		 *
 		 * <p>
 		 * For example, if the way your application would internally call itself is on a
@@ -308,7 +308,7 @@ public void logout(HttpServletRequest request, HttpServletResponse response,
 		 */
 		public final class SessionLogoutConfigurer {
 
-			private String logoutUri = "{baseScheme}://localhost{basePort}/logout/connect/back-channel/{registrationId}";
+			private String logoutUri = "{baseUrl}/logout/connect/back-channel/{registrationId}";
 
 			private String cookieName = "JSESSIONID";
 
diff --git a/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java b/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
@@ -58,7 +58,6 @@
 import org.springframework.security.authorization.ObservationReactiveAuthorizationManager;
 import org.springframework.security.authorization.ReactiveAuthorizationManager;
 import org.springframework.security.config.Customizer;
-import org.springframework.security.config.annotation.web.configurers.oauth2.client.OidcLogoutConfigurer;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.AuthorityUtils;
@@ -5536,8 +5535,7 @@ private ServerLogoutHandler logoutHandler() {
 			 * that the scheme, server name, or port in the {@code Host} header are
 			 * different from how you would address the same server internally.
 			 * @param logoutUri the URI to request logout on the back-channel
-			 * @return the {@link OidcLogoutConfigurer.BackChannelLogoutConfigurer} for
-			 * further customizations
+			 * @return the {@link BackChannelLogoutConfigurer} for further customizations
 			 * @since 6.2.4
 			 * @deprecated Please use {@link #sessionLogout} instead
 			 */
@@ -5610,8 +5608,7 @@ public BackChannelLogoutConfigurer logoutUri(String logoutUri) {
 			 * </pre>
 			 * @param sessionLogout a {@link Customizer} for configuring how to log out of
 			 * each individual session
-			 * @return {@link OidcLogoutConfigurer.BackChannelLogoutConfigurer} for
-			 * further customizations
+			 * @return {@link BackChannelLogoutConfigurer} for further customizations
 			 * @since 6.4
 			 */
 			public BackChannelLogoutConfigurer sessionLogout(Customizer<SessionLogoutConfigurer> sessionLogout) {
@@ -5670,7 +5667,7 @@ public Mono<Void> logout(WebFilterExchange exchange, Authentication authenticati
 			 */
 			public final class SessionLogoutConfigurer {
 
-				private String logoutUri = "{baseScheme}://localhost{basePort}/logout/connect/back-channel/{registrationId}";
+				private String logoutUri = "{baseUrl}/logout/connect/back-channel/{registrationId}";
 
 				private String cookieName = "SESSION";
 
@@ -5696,9 +5693,7 @@ private SessionLogoutConfigurer() {
 				 * different logout endpoint, like the Spring Security logout endpoint:
 				 * {@code {baseScheme}://localhost{basePort}/logout}.
 				 * @param uri the URI to invoke to log out specific sessions
-				 * @return the
-				 * {@link OidcLogoutConfigurer.BackChannelLogoutConfigurer.SessionLogoutConfigurer}
-				 * for further customizations
+				 * @return the {@link SessionLogoutConfigurer} for further customizations
 				 */
 				public SessionLogoutConfigurer uri(String uri) {
 					this.logoutUri = uri;
@@ -5715,9 +5710,7 @@ public SessionLogoutConfigurer uri(String uri) {
 				 * <p>
 				 * When using Spring Session, you may need to set this to {@code SESSION}
 				 * @param cookieName the cookie name to use
-				 * @return the
-				 * {@link OidcLogoutConfigurer.BackChannelLogoutConfigurer.SessionLogoutConfigurer}
-				 * for further customizations
+				 * @return the {@link SessionLogoutConfigurer} for further customizations
 				 */
 				public SessionLogoutConfigurer cookieName(String cookieName) {
 					this.cookieName = cookieName;
