I decided to implement a logout handler which broadcasts a logout event. I insert it into the filter chain before the existing logout filter (I think). And then I have a LoggerListener which captures the various security events I want to record in a DB.
The following is from my security context, but I think it is wrong:
I don't think I need the last two beans (remember me and the handler) in the list, because if I understand how this works correctly, there is a logout filter after this one? The one that is from the auto-config? Right?
<beans:bean id="logoutFilter" class="org.springframework.security.ui.logout.LogoutFilter">
<beans:constructor-arg index="0" value="/login.jsp?logout=1" /> <!-- URL redirected to after logout -->