f38df9
@@ -16,28 +16,34 @@
 package org.springframework.security.web.authentication.logout;
 
 
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.util.Assert;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpSession;
-
 /**
  * Performs a logout by modifying the {@link org.springframework.security.core.context.SecurityContextHolder}.
  * <p>
  * Will also invalidate the {@link HttpSession} if {@link #isInvalidateHttpSession()} is {@code true} and the
  * session is not {@code null}.
+ * <p>
+ * Will also remove the {@link Authentication} from the current {@link SecurityContext} if {@link #clearAuthentication}
+ * is set to true (default).
  *
  * @author Ben Alex
+ * @author Rob Winch
  */
 public class SecurityContextLogoutHandler implements LogoutHandler {
     protected final Log logger = LogFactory.getLog(this.getClass());
 
     private boolean invalidateHttpSession = true;
+    private boolean clearAuthentication = true;
 
     //~ Methods ========================================================================================================
 
@@ -58,6 +64,11 @@
public class SecurityContextLogoutHandler implements LogoutHandler {
             }
         }
 
+        if(clearAuthentication) {
+            SecurityContext context = SecurityContextHolder.getContext();
+            context.setAuthentication(null);
+        }
+
         SecurityContextHolder.clearContext();
     }
 
@@ -75,4 +86,14 @@
public class SecurityContextLogoutHandler implements LogoutHandler {
         this.invalidateHttpSession = invalidateHttpSession;
     }
 
+    /**
+     * If true, removes the {@link Authentication} from the {@link SecurityContext} to prevent issues with concurrent
+     * requests.
+     *
+     * @param clearAuthentication true if you wish to clear the {@link Authentication} from the {@link SecurityContext}
+     * (default) or false if the {@link Authentication} should not be removed.
+     */
+    public void setClearAuthentication(boolean clearAuthentication) {
+        this.clearAuthentication = clearAuthentication;
+    }
 }
