vaadin
diff --git a/‎flow-tests/vaadin-spring-tests/test-spring-security-flow/src/main/java/com/vaadin/flow/spring/flowsecurity/SecurityConfig.java
Lines changed: 8 additions & 0 deletions b/‎flow-tests/vaadin-spring-tests/test-spring-security-flow/src/main/java/com/vaadin/flow/spring/flowsecurity/SecurityConfig.java
Lines changed: 8 additions & 0 deletions
diff --git a/‎flow-tests/vaadin-spring-tests/test-spring-security-flow/src/main/java/com/vaadin/flow/spring/flowsecurity/SecurityUtils.java
Lines changed: 10 additions & 31 deletions b/‎flow-tests/vaadin-spring-tests/test-spring-security-flow/src/main/java/com/vaadin/flow/spring/flowsecurity/SecurityUtils.java
Lines changed: 10 additions & 31 deletions
diff --git a/‎flow-tests/vaadin-spring-tests/test-spring-security-flow/src/main/java/com/vaadin/flow/spring/flowsecurity/service/BankService.java
Lines changed: 19 additions & 9 deletions b/‎flow-tests/vaadin-spring-tests/test-spring-security-flow/src/main/java/com/vaadin/flow/spring/flowsecurity/service/BankService.java
Lines changed: 19 additions & 9 deletions
diff --git a/‎vaadin-spring/pom.xml
Lines changed: 5 additions & 0 deletions b/‎vaadin-spring/pom.xml
Lines changed: 5 additions & 0 deletions
diff --git a/‎vaadin-spring/src/main/java/com/vaadin/flow/spring/security/AuthenticationContext.java
Lines changed: 155 additions & 0 deletions b/‎vaadin-spring/src/main/java/com/vaadin/flow/spring/security/AuthenticationContext.java
Lines changed: 155 additions & 0 deletions
diff --git a/‎vaadin-spring/src/main/java/com/vaadin/flow/spring/security/UidlRedirectStrategy.java
Lines changed: 39 additions & 0 deletions b/‎vaadin-spring/src/main/java/com/vaadin/flow/spring/security/UidlRedirectStrategy.java
Lines changed: 39 additions & 0 deletions
@@ -16,6 +16,9 @@
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 
+import com.vaadin.flow.component.UI;
+import com.vaadin.flow.internal.UrlUtil;
+import com.vaadin.flow.server.VaadinServletRequest;
 import com.vaadin.flow.spring.RootMappedCondition;
 import com.vaadin.flow.spring.VaadinConfigurationProperties;
 import com.vaadin.flow.spring.flowsecurity.data.UserInfo;
@@ -63,6 +66,11 @@ public void configure(HttpSecurity http) throws Exception {
                 .permitAll();
         super.configure(http);
         setLoginView(http, LoginView.class, getLogoutSuccessUrl());
+        http.logout().addLogoutHandler((request, response, authentication) -> {
+            UI ui = UI.getCurrent();
+            ui.accessSynchronously(() -> ui.getPage().setLocation(UrlUtil
+                    .getServletPathRelative(getLogoutSuccessUrl(), request)));
+        });
     }
 
     @Bean
 
@@ -1,17 +1,14 @@
 package com.vaadin.flow.spring.flowsecurity;
 
+import java.util.Optional;
+
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.security.core.context.SecurityContext;
-import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.UserDetails;
-import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler;
 import org.springframework.stereotype.Component;
 
-import com.vaadin.flow.component.UI;
-import com.vaadin.flow.internal.UrlUtil;
-import com.vaadin.flow.server.VaadinServletRequest;
 import com.vaadin.flow.spring.flowsecurity.data.UserInfo;
 import com.vaadin.flow.spring.flowsecurity.service.UserInfoService;
+import com.vaadin.flow.spring.security.AuthenticationContext;
 
 @Component
 public class SecurityUtils {
@@ -20,38 +17,20 @@ public class SecurityUtils {
     private UserInfoService userInfoService;
     @Autowired
     private SecurityConfig securityConfig;
-
-    public UserDetails getAuthenticatedUser() {
-        SecurityContext context = SecurityContextHolder.getContext();
-        if (context == null) {
-            throw new IllegalStateException("No security context available");
-        }
-        if (context.getAuthentication() == null) {
-            return null;
-        }
-        Object principal = context.getAuthentication().getPrincipal();
-        if (principal instanceof UserDetails) {
-            return (UserDetails) context.getAuthentication().getPrincipal();
-        }
-        // Anonymous or no authentication.
-        return null;
-    }
+    @Autowired
+    private AuthenticationContext authenticationContext;
 
     public UserInfo getAuthenticatedUserInfo() {
-        UserDetails details = getAuthenticatedUser();
-        if (details == null) {
+        Optional<UserDetails> userDetails = authenticationContext
+                .getAuthenticatedUser(UserDetails.class);
+        if (userDetails.isEmpty()) {
             return null;
         }
-        return userInfoService.findByUsername(details.getUsername());
+        return userInfoService.findByUsername(userDetails.get().getUsername());
     }
 
     public void logout() {
-        SecurityContextLogoutHandler logoutHandler = new SecurityContextLogoutHandler();
-        logoutHandler.setInvalidateHttpSession(false);
-        VaadinServletRequest request = VaadinServletRequest.getCurrent();
-        logoutHandler.logout(request, null, null);
-        UI.getCurrent().getPage().setLocation(UrlUtil.getServletPathRelative(
-                securityConfig.getLogoutSuccessUrl(), request));
+        authenticationContext.logout();
     }
 
 }
@@ -3,10 +3,11 @@
 import java.math.BigDecimal;
 import java.util.Optional;
 
-import com.vaadin.flow.spring.flowsecurity.SecurityUtils;
 import com.vaadin.flow.spring.flowsecurity.data.Account;
+import com.vaadin.flow.spring.security.AuthenticationContext;
 
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.stereotype.Service;
 
 @Service
@@ -16,7 +17,7 @@ public class BankService {
     private AccountService accountService;
 
     @Autowired
-    private SecurityUtils utils;
+    private AuthenticationContext authenticationContext;
 
     public void applyForLoan() {
         applyForLoan(10000);
@@ -26,14 +27,19 @@ public void applyForHugeLoan() {
         applyForLoan(1000000);
         try {
             Thread.sleep(3000);
-        } catch (InterruptedException e) {
+        } catch (InterruptedException ignored) {
         }
     }
 
     private void applyForLoan(int amount) {
-        String name = utils.getAuthenticatedUser().getUsername();
-        Optional<Account> acc = accountService.findByOwner(name);
-        if (!acc.isPresent()) {
+        Optional<UserDetails> authenticatedUser = authenticationContext
+                .getAuthenticatedUser(UserDetails.class);
+        if (authenticatedUser.isEmpty()) {
+            return;
+        }
+        Optional<Account> acc = accountService
+                .findByOwner(authenticatedUser.get().getUsername());
+        if (acc.isEmpty()) {
             return;
         }
         Account account = acc.get();
@@ -42,9 +48,13 @@ private void applyForLoan(int amount) {
     }
 
     public BigDecimal getBalance() {
-        String name = utils.getAuthenticatedUser().getUsername();
-        return accountService.findByOwner(name).map(Account::getBalance)
-                .orElse(null);
+        Optional<UserDetails> authenticatedUser = authenticationContext
+                .getAuthenticatedUser(UserDetails.class);
+        if (authenticatedUser.isEmpty()) {
+            return null;
+        }
+        return accountService.findByOwner(authenticatedUser.get().getUsername())
+                .map(Account::getBalance).orElse(null);
     }
 
 }
@@ -109,6 +109,11 @@
             <artifactId>spring-test</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-test</artifactId>
+            <scope>test</scope>
+        </dependency>
 
         <dependency>
             <groupId>org.springframework.boot</groupId>
 
@@ -0,0 +1,155 @@
+/*
+ * Copyright 2000-2022 Vaadin Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package com.vaadin.flow.spring.security;
+
+import java.io.IOException;
+import java.io.Serializable;
+import java.util.List;
+import java.util.Optional;
+
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.authentication.AnonymousAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.authentication.logout.CompositeLogoutHandler;
+import org.springframework.security.web.authentication.logout.LogoutHandler;
+import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
+
+import com.vaadin.flow.component.UI;
+import com.vaadin.flow.server.VaadinServletRequest;
+import com.vaadin.flow.server.VaadinServletResponse;
+
+/**
+ * The authentication context of the application.
+ * <p>
+ * An instance of this class is available for injection as bean in view and
+ * layout classes.
+ *
+ * It allows to access authenticated user information and to initiate the logout
+ * process.
+ *
+ * @author Vaadin Ltd
+ * @since 23.3
+ */
+public class AuthenticationContext implements Serializable {
+
+    private static final Logger LOGGER = LoggerFactory
+            .getLogger(AuthenticationContext.class);
+
+    private transient LogoutSuccessHandler logoutSuccessHandler;
+
+    private transient CompositeLogoutHandler logoutHandler;
+
+    /**
+     * Gets an {@link Optional} with an instance of the current user if it has
+     * been authenticated, or empty if the user is not authenticated.
+     *
+     * Anonymous users are considered not authenticated.
+     *
+     * @param <U>
+     *            the type parameter of the expected user instance
+     * @param userType
+     *            the type of the expected user instance
+     * @return an {@link Optional} with the current authenticated user, or empty
+     *         if none available
+     * @throws ClassCastException
+     *             if the current user instance does not match the given
+     *             {@code userType}.
+     */
+    public <U> Optional<U> getAuthenticatedUser(Class<U> userType) {
+        return getAuthentication().map(Authentication::getPrincipal)
+                .map(userType::cast);
+    }
+
+    /**
+     * Indicates whether a user is currently authenticated.
+     *
+     * Anonymous users are considered not authenticated.
+     *
+     * @return {@literal true} if a user is currently authenticated, otherwise
+     *         {@literal false}
+     */
+    public boolean isAuthenticated() {
+        return getAuthentication().map(Authentication::isAuthenticated)
+                .orElse(false);
+    }
+
+    /**
+     * Initiates the logout process of the current authenticated user by
+     * invalidating the local session and then notifying
+     * {@link org.springframework.security.web.authentication.logout.LogoutHandler}.
+     */
+    public void logout() {
+        HttpServletRequest request = VaadinServletRequest.getCurrent()
+                .getHttpServletRequest();
+        HttpServletResponse response = VaadinServletResponse.getCurrent()
+                .getHttpServletResponse();
+        Authentication auth = SecurityContextHolder.getContext()
+                .getAuthentication();
+
+        final UI ui = UI.getCurrent();
+        logoutHandler.logout(request, response, auth);
+        ui.accessSynchronously(() -> {
+            try {
+                logoutSuccessHandler.onLogoutSuccess(request, response, auth);
+            } catch (IOException | ServletException e) {
+                // Raise a warning log message about the failure.
+                LOGGER.warn(
+                        "There was an error notifying the logout handler about the user logout",
+                        e);
+            }
+        });
+    }
+
+    /**
+     * Sets component to handle logout process.
+     *
+     * This method should be invoked after deserialization to refresh required
+     * transient fields.
+     *
+     * @param logoutSuccessHandler
+     *            {@link LogoutSuccessHandler} instance, not {@literal null}.
+     * @param logoutHandlers
+     *            {@link LogoutHandler}s list, not {@literal null}.
+     */
+    void setLogoutHandlers(LogoutSuccessHandler logoutSuccessHandler,
+            List<LogoutHandler> logoutHandlers) {
+        this.logoutSuccessHandler = logoutSuccessHandler;
+        this.logoutHandler = new CompositeLogoutHandler(logoutHandlers);
+    }
+
+    private static Optional<Authentication> getAuthentication() {
+        return Optional.of(SecurityContextHolder.getContext())
+                .map(SecurityContext::getAuthentication)
+                .filter(auth -> !(auth instanceof AnonymousAuthenticationToken));
+    }
+
+    /* For testing purposes */
+    LogoutSuccessHandler getLogoutSuccessHandler() {
+        return logoutSuccessHandler;
+    }
+
+    /* For testing purposes */
+    CompositeLogoutHandler getLogoutHandler() {
+        return logoutHandler;
+    }
+
+}
@@ -0,0 +1,39 @@
+package com.vaadin.flow.spring.security;
+
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+import org.slf4j.LoggerFactory;
+import org.springframework.security.web.DefaultRedirectStrategy;
+
+import com.vaadin.flow.component.UI;
+import com.vaadin.flow.server.HandlerHelper;
+
+/**
+ * A strategy to handle redirects which is aware of UIDL requests.
+ *
+ * @author Vaadin Ltd
+ * @since 1.0
+ */
+public class UidlRedirectStrategy extends DefaultRedirectStrategy {
+
+    @Override
+    public void sendRedirect(HttpServletRequest request,
+            HttpServletResponse response, String url) throws IOException {
+        final var servletMapping = request.getHttpServletMapping().getPattern();
+        if (HandlerHelper.isFrameworkInternalRequest(servletMapping, request)) {
+            UI ui = UI.getCurrent();
+            if (ui != null) {
+                ui.getPage().setLocation(url);
+            } else {
+                LoggerFactory.getLogger(UidlRedirectStrategy.class).warn(
+                        "A redirect to {} was request during a Vaadin request, "
+                                + "but it was not possible to get the UI instance to perform the action.",
+                        url);
+            }
+        } else {
+            super.sendRedirect(request, response, url);
+        }
+    }
+}