spring security 3 authentication-failure-url change

Question

I'm developing web application on spring where authentication is made with Spring Security 3 and LDAP.

This is a form-login snippet from my code:

<security:form-login
    authentication-failure-url="/index.xhtml?error=true"
    default-target-url="/SomeDefaultUrl.xhtml"
    login-page="/index.xhtml" />

When authentication fails my application is redirected to "/index.xhtml?error=true" url. The problem is that I don't know how to catch "error" variable and show some authentication failure message in index.xhtml file. I'm not using Spring mvc.

The second problem is that changing of authentication-failure-url doesn't work.

<security:form-login
    authentication-failure-url="/error.xhtml"
    default-target-url="/SomeDefaultUrl.xhtml"
    login-page="/index.xhtml" />

I changed authentication-failure-url, but despite of this change, it still redirects to index.xhtml file without any variables.

How can I solve this problem?

score 3 · Answer 1 · answered Dec 05 '12 at 09:56

If your index.xhtml is a JSP, you can do this (directly from Spring 3 Recipes book):

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<c:if test="${not empty param.error}">
    Login error.
    Reason ${sessionScope["SPRING_SECURITY_LAST_EXCEPTION"].message}
</c:if>

score 1 · Accepted Answer · edited May 23 '17 at 12:09

Important: /index.xhtml?error=true sends error as GET parameter.

If your index.xhtml is a JSP file you can access that param using implicit request reference:

<%= request.getParameter("error") %>

If index.xhtml is URL of your web controller method/servlet you need to get error param from Request object.

public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException 
{       
    String error = req.getParameter("error");
}

Finally, if your index.xhtml is a plain html file, you can use Java Script to get that parameter: How to retrieve GET parameters from javascript?

For your second question: make sure you properly rebuild your project. It looks like it didn't notice your changes.

Thank you for you great advises. About second question: I rebuild project and it noticed my change, because it redirected to `index.xhtml` file and not to `index.xhtml?error=true` I think when value of authentication-failure-url parameter is not _acceptable_ it automatically redirects to index.xhtml. But I don't know how to fix it — JiboOne, Dec 04 '12 at 14:11

Chanda · Answer 3 · 2013-04-05T18:28:01.787

<security:form-login
    authentication-failure-url="/error.xhtml"
    default-target-url="/SomeDefaultUrl.xhtml"
    login-page="/index.xhtml" />

"I changed authentication-failure-url, but despite of this change, it still redirects to index.xhtml file without any variables."

Answer: Please define the below intercept-url inside your <http auto-config="true" use-expressions="true"></http> body.

<intercept-url pattern="/error.xhtml" access="permitAll"/>

You may not have defined access to /error.xhtml and that is why authentication-failure-url value is not acceptable and is falling through to the next logical url defined i.e. /index.html

score 0 · Answer 4 · edited May 23 '17 at 11:46

0

None of the solutions here worked for me, then I found this question, which had the correct solution for me: spring security 3.1. custom authentication-failure-url with url parameters

edited May 23 '17 at 11:46

Community

1
1

answered Sep 11 '13 at 20:06

lanoxx

12,249
13
87
142

spring security 3 authentication-failure-url change

4 Answers4