Publish an AuditEvent on logout

[mdeinum]

Currently the actuator does a good job on sending AuditEvents on login (ok/failure) authentication etc. would be nice if that could also be done for a logout. This can probably be implemented with a LogoutHandler which gets invoked in the logout chain or another ApplicationListener that listens for SessionDestroyedEvents.

Would be especially nice if a difference could be made between a regular logoff or a session timeout.

Might be related to SEC-2680.

[mdeinum]

After reconsideration this might not be a addition for Spring Boot, it uses by default basic authentication for which logout will not work.

[dsyer]

Logout works if there is a session (which would be the normal way of using Spring Boot with a UI). Also, I do not think this is a Boot issue. If SEC-2680 is resolved we'd pick up the events with no changes.

[mdeinum]

If a logout event is issued you might need to add a new auditevent so that it can be logged properly. Now only AUTHENTICATION_SUCCESS, AUTHENTICATION_SWITCH and AUTHENTICATION_FAILURE are logged. I can image that a AUTHENTICATION_LOGOUT or something alike might be added.

But agreed that is just a minor enhancement and relies upon the solution provided by SEC-2680.

[ptahchiev]

+1 for this

[philwebb]

I think we should leave this to the Spring Security fix suggested in SEC-2680

[Chu3laMan]

can I make a try out on this?

[philwebb]

Please do @Chu3laMan. You'll probably want to take a look at AuthenticationAuditListener and add something to onApplicationEvent that deals with org.springframework.security.authentication.event.LogoutSuccessEvent. There are existing tests in AuthenticationAuditListenerTests that might also help.

[Chu3laMan]

@philwebb It's already done, don't we need to take care about handling errors during logout phase inside the same method?

[philwebb]

Closing in favor of PR #41278. Thanks @Chu3laMan