Fix authenticationFailureHandler not being used

The custom server authenticationFailureHandler was not always picked up Fixes: gh-7782
2020-01-27 13:10:03 +01:00 · 2020-01-27 13:10:03 +01:00 · 29377545d9
parent e62fb755e8
commit 29377545d9
2 changed files with 35 additions and 1 deletions
--- a/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
+++ b/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
@ -3050,7 +3050,9 @@ public class ServerHttpSecurity {
 			this.defaultEntryPoint = new RedirectServerAuthenticationEntryPoint(loginPage);
 			this.authenticationEntryPoint = this.defaultEntryPoint;
 			this.requiresAuthenticationMatcher = ServerWebExchangeMatchers.pathMatchers(HttpMethod.POST, loginPage);
-			this.authenticationFailureHandler = new RedirectServerAuthenticationFailureHandler(loginPage + "?error");
+			if (this.authenticationFailureHandler == null) {
+				this.authenticationFailureHandler = new RedirectServerAuthenticationFailureHandler(loginPage + "?error");
+			}
 			return this;
 		}

--- a/config/src/test/java/org/springframework/security/config/web/server/FormLoginTests.java
+++ b/config/src/test/java/org/springframework/security/config/web/server/FormLoginTests.java
@ -33,6 +33,7 @@ import org.springframework.security.htmlunit.server.WebTestClientHtmlUnitDriverB
 import org.springframework.security.test.web.reactive.server.WebTestClientBuilder;
 import org.springframework.security.web.server.SecurityWebFilterChain;
 import org.springframework.security.web.server.WebFilterChainProxy;
+import org.springframework.security.web.server.authentication.RedirectServerAuthenticationFailureHandler;
 import org.springframework.security.web.server.authentication.RedirectServerAuthenticationSuccessHandler;
 import org.springframework.security.web.server.context.ServerSecurityContextRepository;
 import org.springframework.security.web.server.csrf.CsrfToken;
@ -213,6 +214,37 @@ public class FormLoginTests {
 		homePage.assertAt();
 	}

+	@Test
+	public void formLoginWhenCustomAuthenticationFailureHandlerThenUsed() {
+		SecurityWebFilterChain securityWebFilter = this.http
+			.authorizeExchange()
+				.pathMatchers("/login", "/failure").permitAll()
+				.anyExchange().authenticated()
+				.and()
+			.formLogin()
+				.authenticationFailureHandler(new RedirectServerAuthenticationFailureHandler("/failure"))
+				.and()
+			.build();
+
+		WebTestClient webTestClient = WebTestClientBuilder
+				.bindToWebFilters(securityWebFilter)
+				.build();
+
+		WebDriver driver = WebTestClientHtmlUnitDriverBuilder
+				.webTestClientSetup(webTestClient)
+				.build();
+
+		DefaultLoginPage loginPage = HomePage.to(driver, DefaultLoginPage.class)
+				.assertAt();
+
+		loginPage.loginForm()
+				.username("invalid")
+				.password("invalid")
+				.submit(HomePage.class);
+
+		assertThat(driver.getCurrentUrl()).endsWith("/failure");
+	}
+
 	@Test
 	public void authenticationSuccess() {
 		SecurityWebFilterChain securityWebFilter = this.http