I have a custom Authentication failure handler as below
@Component
public class MyAuthFailureHandler implements AuthenticationFailureHandler{
public void onAuthenticationFailure(HttpServletRequest request,
HttpServletResponse response, AuthenticationException exception)
throws IOException, ServletException {
if(exception instanceof AccountExpiredException && username != null){
// do some internal lookup and set values in request and redirect
System.out.println("Forwarding.... " );
request.getRequestDispatcher("/recoverAccount").forward(request, response);
}
}
}
And configured handler in security config as below
@Autowired
private AuthenticationFailureHandler authenticationFailureHandler;
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers("/reset","/resetStatus","/recoverAccount","/login**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.successHandler(successHandler)
.failureHandler(authenticationFailureHandler)
.permitAll()
.and()
.logout()
.permitAll();
And on login when ever AccountExpiredException is thrown the handler is invoked and I am getting Forwarding printed out, but forward is not working and redirected to login page without any error. Redirect is also not working.
I checked the document, but there is no information about forwards.
I checked this post and verified that /recoverAccount is allowed for unauthorized access.
By testing repeatedly I can see /recoverAccount is blocked and redirected to default login page, but not able to find what cause this. Any help is highly appreciated
