Geek Answers Handbook

Why am I not getting Spring security login error messages?

Using Spring Security 3 along with Struts 2 and Tiles 2, I have a login page that appears when it is supposed to and logs in as expected - however, when I enter bad user credentials, I return to the page login without information about what went wrong. I checked all my configuration options and I can not see where the problem is.

My Spring XML Security Configuration is as follows:

<http auto-config="true" use-expressions="true"> <intercept-url pattern="/" access="permitAll" /> <intercept-url pattern="/css/**" access="permitAll" /> <intercept-url pattern="/images/**" access="permitAll" /> <intercept-url pattern="/js/**" access="permitAll" /> <intercept-url pattern="/public/**" access="permitAll" /> <intercept-url pattern="/home/**" access="permitAll" /> <intercept-url pattern="/user/**" access="hasRole('AUTH_MANAGE_USERS')" /> <intercept-url pattern="/group/**" access="hasRole('AUTH_MANAGE_USERS')" /> <intercept-url pattern="/**" access="isAuthenticated()" /> <access-denied-handler error-page="/403.html"/> <form-login login-page="/public/login.do" always-use-default-target="false"/> <logout invalidate-session="true" logout-success-url="/public/home.do"/> </http>

The action of My Struts is as follows:

 <package name="public" namespace="/public" extends="secure"> <action name="login"> <result name="success" type="tiles">tiles.login.panel</result> <result name="input" type="tiles">tiles.login.panel</result> <result name="error">/WEB-INF/jsp/error.jsp</result> </action> <action name="logout"> <result name="success" type="redirect">/j_spring_security_logout</result> </action> </package>

And the login.jsp page (part of the tile) is looking for an exception from Spring Security ...

 <c:if test="${not empty param.login_error}"> <span class="actionError"> Your login attempt was not successful, try again.<br/><br/> Reason: <c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message}"/>. </span> </c:if> <form id="loginForm" name="loginForm" action="/j_spring_security_check" method="post"> ... </form>

Can someone tell me what I am missing? Thank you in advance for any / all answers.

+4
source share
2 answers

Spring Security does not automatically set param.login_error . You need to do it manaully as follows:

 <form-login login-page="/public/login.do" authentication-failure-url = "/public/login.do?login_error=1" always-use-default-target="false"/>
+7
source

One suggestion to help convert error messages, such as the final comment, is to use the AuthenticationFailureHandler to map different types of exceptions to different error codes that u-level code might look for unique messages. It looks like this:

 <security:form-login login-page="/login" authentication-failure-handler-ref="authenticationFailureHandler"/> <bean id="authenticationFailureHandler" class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler"> <property name="defaultFailureUrl" value="/login?reason=login_error"/> <property name="exceptionMappings"> <map> <entry><key><value>org.springframework.security.authentication.LockedException</value></key> <value>/login?reason=user_locked</value></entry> <entry><key><value>org.springframework.security.authentication.DisabledException</value></key> <value>/login?reason=user_disabled</value></entry> <entry><key><value>org.springframework.security.authentication.AuthenticationServiceException</value></key> <value>/login?reason=connection</value></entry> </map> </property> </bean>
+1
source

More articles:


All Articles