Enhancements to correctly handle authentication failures.

core/src/main/java/org/springframework/security/config/FormLoginBeanDefinitionParser.java

@@ -32,10 +32,6 @@ public class FormLoginBeanDefinitionParser implements BeanDefinitionParser {
     private static final String DEFAULT_FORM_LOGIN_TARGET_URL = "/";
 
     private static final String FORM_LOGIN_AUTH_FAILURE_URL_ATTRIBUTE = "defaultTargetUrl";
-    // TODO: Change AbstractProcessingFilter to not need a failure URL and just write a failure message
-    // to the response if one isn't set.
-    private static final String DEFAULT_FORM_LOGIN_AUTH_FAILURE_URL = "/loginError";
-
 
     public BeanDefinition parse(Element elt, ParserContext parserContext) {
         ConfigUtils.registerProviderManagerIfNecessary(parserContext);
@@ -91,7 +87,7 @@ public class FormLoginBeanDefinitionParser implements BeanDefinitionParser {
         String authenticationFailureUrl = elt.getAttribute(FORM_LOGIN_AUTH_FAILURE_URL_ATTRIBUTE);
 
         if (!StringUtils.hasText(authenticationFailureUrl)) {
-            authenticationFailureUrl = DEFAULT_FORM_LOGIN_AUTH_FAILURE_URL;
+            authenticationFailureUrl = DefaultLoginPageGeneratingFilter.DEFAULT_LOGIN_PAGE_URL + "?" + DefaultLoginPageGeneratingFilter.ERROR_PARAMETER_NAME;
         }
 
         filterBuilder.addPropertyValue("authenticationFailureUrl", authenticationFailureUrl);

core/src/main/java/org/springframework/security/ui/webapp/DefaultLoginPageGeneratingFilter.java

@@ -1,19 +1,18 @@
 package org.springframework.security.ui.webapp;
 
-import org.springframework.security.AuthenticationException;
-import org.springframework.security.ui.AbstractProcessingFilter;
-import org.springframework.security.ui.FilterChainOrderUtils;
-import org.springframework.security.ui.SpringSecurityFilter;
-import org.springframework.security.ui.rememberme.AbstractRememberMeServices;
-import org.springframework.security.ui.rememberme.TokenBasedRememberMeServices;
-import org.springframework.util.StringUtils;
+import java.io.IOException;
 
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
-import java.io.IOException;
+
+import org.springframework.security.AuthenticationException;
+import org.springframework.security.ui.AbstractProcessingFilter;
+import org.springframework.security.ui.FilterChainOrderUtils;
+import org.springframework.security.ui.SpringSecurityFilter;
+import org.springframework.security.ui.rememberme.AbstractRememberMeServices;
 
 /**
  * For internal use with namespace configuration in the case where a user doesn't configure a login page.
@@ -25,7 +24,8 @@ import java.io.IOException;
  * @version $Id$
  */
 public class DefaultLoginPageGeneratingFilter extends SpringSecurityFilter {
-    public static final String DEFAULT_LOGIN_PAGE_URL = "/login";
+    public static final String DEFAULT_LOGIN_PAGE_URL = "/spring_security_login";
+    public static final String ERROR_PARAMETER_NAME = "login_error";
     private String authenticationUrl;
     private String usernameParameter;
     private String passwordParameter;
@@ -52,7 +52,7 @@ public class DefaultLoginPageGeneratingFilter extends SpringSecurityFilter {
     }
 
     private String generateLoginPageHtml(HttpServletRequest request) {
-        boolean loginError = StringUtils.hasText(request.getParameter("login_error"));
+        boolean loginError = request.getParameter(ERROR_PARAMETER_NAME) != null;
         String errorMsg = "none";
         String lastUser = "";
 
@@ -60,8 +60,12 @@ public class DefaultLoginPageGeneratingFilter extends SpringSecurityFilter {
             HttpSession session = request.getSession(false);
 
             if(session != null) {
-                 errorMsg = ((AuthenticationException)
-                        session.getAttribute(AbstractProcessingFilter.SPRING_SECURITY_LAST_EXCEPTION_KEY)).getMessage();
+            	lastUser = (String) session.getAttribute(AuthenticationProcessingFilter.SPRING_SECURITY_LAST_USERNAME_KEY);
+            	AuthenticationException ex = (AuthenticationException) session.getAttribute(AbstractProcessingFilter.SPRING_SECURITY_LAST_EXCEPTION_KEY);
+                errorMsg = ex != null ? ex.getMessage() : "none";
+                if (lastUser == null) {
+                	lastUser = "";
+                }
             }
         }
 

core/src/main/resources/org/springframework/security/config/spring-security-2.0.rnc

@@ -105,7 +105,7 @@ form-login.attlist &=
     ## The URL that the form is submitted to
     [ a:defaultValue = "/j_spring_security_check" ] attribute loginUrl {xsd:string}?   
 form-login.attlist &=
-    ## The URL for the login page
+    ## The URL for the login page. If no login URL is specified, Spring Security will automatically create a login URL at /spring_security_login and a corresponding filter to render that login URL when requested.
     attribute loginPage {xsd:string}?   
 
 filter-chain-map = 

core/src/main/resources/org/springframework/security/config/spring-security-2.0.xsd

@@ -221,7 +221,7 @@
     </xs:attribute>
     <xs:attribute name="loginPage" type="xs:string">
       <xs:annotation>
-        <xs:documentation>The URL for the login page</xs:documentation>
+        <xs:documentation>The URL for the login page. If no login URL is specified, Spring Security will automatically create a login URL at /spring_security_login and a corresponding filter to render that login URL when requested.</xs:documentation>
       </xs:annotation>
     </xs:attribute>
   </xs:attributeGroup>