Spring Security Introduce RememberMeServices.logout method.

Expected Behavior

RememberMeServices should handle itself logout. To make this happen, Declare RememberMeServices.logout method. and add an additional LogoutHandler to LogoutFilter. which calls RememberMeServices.logout

package org.springframework.security.web.authentication;

public interface RememberMeServices {

    // current methods omitted.

    void logout(HttpServletRequest req, HttpServletResponse res, Authentication authentication);
}

Current Behavior

RememberMeServices has no method called on user logout, which causes when users to log out. Remember me token is still in the database and the user can access resources after logging out.

Context

Comment From: jzheaux

Hi, @hurelhuyag, thanks for reaching out. Since AbstractRememberMeServices already implements LogoutHandler, I'm not sure that there is anything more to be done. It's also true that HttpSecurity#rememberMe will add any remember me services instance that implements LogoutHandler to the set of logout handlers.

If you are having trouble with getting Spring Security to pick up your remember me services, I'd like to direct you over to StackOverflow to figure out why your remember me services instance is not invoked on logout. If it implements LogoutHandler (which TokenBasedRememberMeServices and PersistentTokenBasedRememberMeServices already do) and it is provided in the rememberMe() configuration, it should be picked up automatically.