diff --git a/core/src/main/java/org/springframework/security/config/FormLoginBeanDefinitionParser.java b/core/src/main/java/org/springframework/security/config/FormLoginBeanDefinitionParser.java index f0967d68b5..743e0de087 100644 --- a/core/src/main/java/org/springframework/security/config/FormLoginBeanDefinitionParser.java +++ b/core/src/main/java/org/springframework/security/config/FormLoginBeanDefinitionParser.java @@ -32,10 +32,6 @@ public class FormLoginBeanDefinitionParser implements BeanDefinitionParser { private static final String DEFAULT_FORM_LOGIN_TARGET_URL = "/"; private static final String FORM_LOGIN_AUTH_FAILURE_URL_ATTRIBUTE = "defaultTargetUrl"; - // TODO: Change AbstractProcessingFilter to not need a failure URL and just write a failure message - // to the response if one isn't set. - private static final String DEFAULT_FORM_LOGIN_AUTH_FAILURE_URL = "/loginError"; - public BeanDefinition parse(Element elt, ParserContext parserContext) { ConfigUtils.registerProviderManagerIfNecessary(parserContext); @@ -91,7 +87,7 @@ public class FormLoginBeanDefinitionParser implements BeanDefinitionParser { String authenticationFailureUrl = elt.getAttribute(FORM_LOGIN_AUTH_FAILURE_URL_ATTRIBUTE); if (!StringUtils.hasText(authenticationFailureUrl)) { - authenticationFailureUrl = DEFAULT_FORM_LOGIN_AUTH_FAILURE_URL; + authenticationFailureUrl = DefaultLoginPageGeneratingFilter.DEFAULT_LOGIN_PAGE_URL + "?" + DefaultLoginPageGeneratingFilter.ERROR_PARAMETER_NAME; } filterBuilder.addPropertyValue("authenticationFailureUrl", authenticationFailureUrl); diff --git a/core/src/main/java/org/springframework/security/ui/webapp/DefaultLoginPageGeneratingFilter.java b/core/src/main/java/org/springframework/security/ui/webapp/DefaultLoginPageGeneratingFilter.java index 4d2ebfcea7..d83ad7a93a 100644 --- a/core/src/main/java/org/springframework/security/ui/webapp/DefaultLoginPageGeneratingFilter.java +++ b/core/src/main/java/org/springframework/security/ui/webapp/DefaultLoginPageGeneratingFilter.java @@ -1,19 +1,18 @@ package org.springframework.security.ui.webapp; -import org.springframework.security.AuthenticationException; -import org.springframework.security.ui.AbstractProcessingFilter; -import org.springframework.security.ui.FilterChainOrderUtils; -import org.springframework.security.ui.SpringSecurityFilter; -import org.springframework.security.ui.rememberme.AbstractRememberMeServices; -import org.springframework.security.ui.rememberme.TokenBasedRememberMeServices; -import org.springframework.util.StringUtils; +import java.io.IOException; import javax.servlet.FilterChain; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; -import java.io.IOException; + +import org.springframework.security.AuthenticationException; +import org.springframework.security.ui.AbstractProcessingFilter; +import org.springframework.security.ui.FilterChainOrderUtils; +import org.springframework.security.ui.SpringSecurityFilter; +import org.springframework.security.ui.rememberme.AbstractRememberMeServices; /** * For internal use with namespace configuration in the case where a user doesn't configure a login page. @@ -25,7 +24,8 @@ import java.io.IOException; * @version $Id$ */ public class DefaultLoginPageGeneratingFilter extends SpringSecurityFilter { - public static final String DEFAULT_LOGIN_PAGE_URL = "/login"; + public static final String DEFAULT_LOGIN_PAGE_URL = "/spring_security_login"; + public static final String ERROR_PARAMETER_NAME = "login_error"; private String authenticationUrl; private String usernameParameter; private String passwordParameter; @@ -52,7 +52,7 @@ public class DefaultLoginPageGeneratingFilter extends SpringSecurityFilter { } private String generateLoginPageHtml(HttpServletRequest request) { - boolean loginError = StringUtils.hasText(request.getParameter("login_error")); + boolean loginError = request.getParameter(ERROR_PARAMETER_NAME) != null; String errorMsg = "none"; String lastUser = ""; @@ -60,8 +60,12 @@ public class DefaultLoginPageGeneratingFilter extends SpringSecurityFilter { HttpSession session = request.getSession(false); if(session != null) { - errorMsg = ((AuthenticationException) - session.getAttribute(AbstractProcessingFilter.SPRING_SECURITY_LAST_EXCEPTION_KEY)).getMessage(); + lastUser = (String) session.getAttribute(AuthenticationProcessingFilter.SPRING_SECURITY_LAST_USERNAME_KEY); + AuthenticationException ex = (AuthenticationException) session.getAttribute(AbstractProcessingFilter.SPRING_SECURITY_LAST_EXCEPTION_KEY); + errorMsg = ex != null ? ex.getMessage() : "none"; + if (lastUser == null) { + lastUser = ""; + } } } diff --git a/core/src/main/resources/org/springframework/security/config/spring-security-2.0.rnc b/core/src/main/resources/org/springframework/security/config/spring-security-2.0.rnc index e1a0dc5c0a..94ef1c949d 100644 --- a/core/src/main/resources/org/springframework/security/config/spring-security-2.0.rnc +++ b/core/src/main/resources/org/springframework/security/config/spring-security-2.0.rnc @@ -105,7 +105,7 @@ form-login.attlist &= ## The URL that the form is submitted to [ a:defaultValue = "/j_spring_security_check" ] attribute loginUrl {xsd:string}? form-login.attlist &= - ## The URL for the login page + ## The URL for the login page. If no login URL is specified, Spring Security will automatically create a login URL at /spring_security_login and a corresponding filter to render that login URL when requested. attribute loginPage {xsd:string}? filter-chain-map = diff --git a/core/src/main/resources/org/springframework/security/config/spring-security-2.0.xsd b/core/src/main/resources/org/springframework/security/config/spring-security-2.0.xsd index 6f7506d435..67120b5d56 100644 --- a/core/src/main/resources/org/springframework/security/config/spring-security-2.0.xsd +++ b/core/src/main/resources/org/springframework/security/config/spring-security-2.0.xsd @@ -221,7 +221,7 @@ - The URL for the login page + The URL for the login page. If no login URL is specified, Spring Security will automatically create a login URL at /spring_security_login and a corresponding filter to render that login URL when requested.