Check For Null Exception Message

Closes gh-13768
2025-05-30 08:42:13 +00:00 · 2023-11-07 17:19:35 -07:00 · 2023-11-07 17:19:35 -07:00 · 52675c80b3
commit 52675c80b3
parent b919ece045
2 changed files with 18 additions and 2 deletions
--- a/web/src/main/java/org/springframework/security/web/authentication/ui/DefaultLoginPageGeneratingFilter.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/ui/DefaultLoginPageGeneratingFilter.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2023 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -36,6 +36,7 @@ import org.springframework.security.web.authentication.AbstractAuthenticationPro
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices;
 import org.springframework.util.Assert;
+import org.springframework.util.StringUtils;
 import org.springframework.web.filter.GenericFilterBean;
 import org.springframework.web.util.HtmlUtils;

@ -244,7 +245,8 @@ public class DefaultLoginPageGeneratingFilter extends GenericFilterBean {
 			if (session != null) {
 				AuthenticationException ex = (AuthenticationException) session
 					.getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION);
-				errorMsg = (ex != null) ? ex.getMessage() : "Invalid credentials";
+				errorMsg = (ex != null && StringUtils.hasLength(ex.getMessage())) ? ex.getMessage()
+						: "Invalid credentials";
 			}
 		}
 		String contextPath = request.getContextPath();
--- a/web/src/test/java/org/springframework/security/web/authentication/DefaultLoginPageGeneratingFilterTests.java
+++ b/web/src/test/java/org/springframework/security/web/authentication/DefaultLoginPageGeneratingFilterTests.java
@ -182,6 +182,20 @@ public class DefaultLoginPageGeneratingFilterTests {
 			.contains("<a href=\"/saml/sso/google\">Google &lt; &gt; &quot; &#39; &amp;</a>");
 	} // Fake OpenID filter (since it's not in this module

+	// gh-13768
+	@Test
+	public void generatesWhenExceptionWithEmptyMessageThenInvalidCredentials() throws Exception {
+		DefaultLoginPageGeneratingFilter filter = new DefaultLoginPageGeneratingFilter(
+				new UsernamePasswordAuthenticationFilter());
+		filter.setLoginPageUrl(DefaultLoginPageGeneratingFilter.DEFAULT_LOGIN_PAGE_URL);
+		MockHttpServletRequest request = new MockHttpServletRequest("GET", "/login");
+		request.setQueryString("error");
+		request.getSession().setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, new BadCredentialsException(null));
+		MockHttpServletResponse response = new MockHttpServletResponse();
+		filter.doFilter(request, response, this.chain);
+		assertThat(response.getContentAsString()).contains("Invalid credentials");
+	}
+
 	@SuppressWarnings("unused")
 	private static class MockProcessingFilter extends AbstractAuthenticationProcessingFilter {