Apply DefaultLoginPageConfigurer before logout

If they are not applied in this order, then the LogoutConfigurer cannot
set the logoutSuccessUrl, because the DefaultLoginPageGeneratingFilter
does not exist yet.
This impacts users that inject the default HttpSecurity bean.

Closes gh-9973

Author: eleftherias

config/src/main/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfiguration.java

@@ -94,8 +94,8 @@ HttpSecurity httpSecurity() throws Exception {
 			.requestCache(withDefaults())
 			.anonymous(withDefaults())
 			.servletApi(withDefaults())
-			.logout(withDefaults())
 			.apply(new DefaultLoginPageConfigurer<>());
+		http.logout(withDefaults());
 		// @formatter:on
 		return http;
 	}

config/src/test/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfigurationTests.java

@@ -187,6 +187,18 @@ public void loginWhenUsingDefaultsThenDefaultLoginPageGenerated() throws Excepti
 		this.mockMvc.perform(get("/login")).andExpect(status().isOk());
 	}
 
+	@Test
+	public void loginWhenUsingDefaultsThenDefaultLoginFailurePageGenerated() throws Exception {
+		this.spring.register(SecurityEnabledConfig.class).autowire();
+		this.mockMvc.perform(get("/login?error")).andExpect(status().isOk());
+	}
+
+	@Test
+	public void loginWhenUsingDefaultsThenDefaultLogoutSuccessPageGenerated() throws Exception {
+		this.spring.register(SecurityEnabledConfig.class).autowire();
+		this.mockMvc.perform(get("/login?logout")).andExpect(status().isOk());
+	}
+
 	@RestController
 	static class NameController {