diff --git a/web/src/main/java/org/springframework/security/web/authentication/ui/DefaultLoginPageGeneratingFilter.java b/web/src/main/java/org/springframework/security/web/authentication/ui/DefaultLoginPageGeneratingFilter.java index b70649a8e3..c727dbb623 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/ui/DefaultLoginPageGeneratingFilter.java +++ b/web/src/main/java/org/springframework/security/web/authentication/ui/DefaultLoginPageGeneratingFilter.java @@ -35,6 +35,7 @@ import org.springframework.security.web.WebAttributes; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices; import org.springframework.util.Assert; +import org.springframework.util.StringUtils; import org.springframework.web.filter.GenericFilterBean; import org.springframework.web.util.HtmlUtils; @@ -266,11 +267,17 @@ public class DefaultLoginPageGeneratingFilter extends GenericFilterBean { private String getLoginErrorMessage(HttpServletRequest request) { HttpSession session = request.getSession(false); - if (session != null && session - .getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION) instanceof AuthenticationException exception) { - return exception.getMessage(); + if (session == null) { + return "Invalid credentials"; } - return "Invalid credentials"; + if (!(session + .getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION) instanceof AuthenticationException exception)) { + return "Invalid credentials"; + } + if (!StringUtils.hasText(exception.getMessage())) { + return "Invalid credentials"; + } + return exception.getMessage(); } private String renderHiddenInputs(HttpServletRequest request) { diff --git a/web/src/test/java/org/springframework/security/web/authentication/DefaultLoginPageGeneratingFilterTests.java b/web/src/test/java/org/springframework/security/web/authentication/DefaultLoginPageGeneratingFilterTests.java index 6c683ba8f5..12fdacdcf8 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/DefaultLoginPageGeneratingFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/DefaultLoginPageGeneratingFilterTests.java @@ -171,4 +171,18 @@ public class DefaultLoginPageGeneratingFilterTests { .contains("Google < > " ' &"); } + // gh-13768 + @Test + public void generatesWhenExceptionWithEmptyMessageThenInvalidCredentials() throws Exception { + DefaultLoginPageGeneratingFilter filter = new DefaultLoginPageGeneratingFilter( + new UsernamePasswordAuthenticationFilter()); + filter.setLoginPageUrl(DefaultLoginPageGeneratingFilter.DEFAULT_LOGIN_PAGE_URL); + MockHttpServletRequest request = new MockHttpServletRequest("GET", "/login"); + request.setQueryString("error"); + request.getSession().setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, new BadCredentialsException(null)); + MockHttpServletResponse response = new MockHttpServletResponse(); + filter.doFilter(request, response, this.chain); + assertThat(response.getContentAsString()).contains("Invalid credentials"); + } + }