Currently the actuator does a good job on sending AuditEvents on login (ok/failure) authentication etc. would be nice if that could also be done for a logout. This can probably be implemented with a LogoutHandler which gets invoked in the logout chain or another ApplicationListener that listens for SessionDestroyedEvents.
Would be especially nice if a difference could be made between a regular logoff or a session timeout.
Might be related to SEC-2680.
Comment From: mdeinum
After reconsideration this might not be a addition for Spring Boot, it uses by default basic authentication for which logout will not work.
Comment From: dsyer
Logout works if there is a session (which would be the normal way of using Spring Boot with a UI). Also, I do not think this is a Boot issue. If SEC-2680 is resolved we'd pick up the events with no changes.
Comment From: mdeinum
If a logout event is issued you might need to add a new auditevent so that it can be logged properly. Now only AUTHENTICATION_SUCCESS, AUTHENTICATION_SWITCH and AUTHENTICATION_FAILURE are logged. I can image that a AUTHENTICATION_LOGOUT or something alike might be added.
But agreed that is just a minor enhancement and relies upon the solution provided by SEC-2680.
Comment From: ptahchiev
+1 for this
Comment From: philwebb
I think we should leave this to the Spring Security fix suggested in SEC-2680
Comment From: Chu3laMan
can I make a try out on this?
Comment From: philwebb
Please do @Chu3laMan. You'll probably want to take a look at AuthenticationAuditListener and add something to onApplicationEvent that deals with org.springframework.security.authentication.event.LogoutSuccessEvent. There are existing tests in AuthenticationAuditListenerTests that might also help.
Comment From: Chu3laMan
@philwebb It's already done, don't we need to take care about handling errors during logout phase inside the same method?
Comment From: philwebb
Closing in favor of PR #41278. Thanks @Chu3laMan