Expected Behavior If spring security with spring session,the DelegatingServerLogoutHandler's delegates must be sorted
the SecurityContextServerLogoutHandler must be before WebSessionServerLogoutHandler in DelegatingServerLogoutHandler constructor.
Current Behavior
If WebSessionServerLogoutHandler be before SecurityContextServerLogoutHandler add to DelegatingServerLogoutHandler's delegates,
The WebSessionServerLogoutHandler delete session id from redis, then SecurityContextServerLogoutHandler will not obtain sessionid to operrate,this will occure Session was invalidated.
The spring security doc showed DelegatingServerLogoutHandler logoutHandler = new DelegatingServerLogoutHandler(
new WebSessionServerLogoutHandler(), new SecurityContextServerLogoutHandler()
);
This will be problem.
Context
sprin security with spring session and redis to store sessionId.
Comment From: jzheaux
Thanks, @quentin-lipeng, this is now updated in the documentation.