From 52675c80b346bb71887b3cd24ca6c7d7e357d94e Mon Sep 17 00:00:00 2001 From: Josh Cummings Date: Tue, 7 Nov 2023 17:19:35 -0700 Subject: [PATCH] Check For Null Exception Message Closes gh-13768 --- .../ui/DefaultLoginPageGeneratingFilter.java | 6 ++++-- .../DefaultLoginPageGeneratingFilterTests.java | 14 ++++++++++++++ 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/web/src/main/java/org/springframework/security/web/authentication/ui/DefaultLoginPageGeneratingFilter.java b/web/src/main/java/org/springframework/security/web/authentication/ui/DefaultLoginPageGeneratingFilter.java index 7678da221a..6fc18bd463 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/ui/DefaultLoginPageGeneratingFilter.java +++ b/web/src/main/java/org/springframework/security/web/authentication/ui/DefaultLoginPageGeneratingFilter.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -36,6 +36,7 @@ import org.springframework.security.web.authentication.AbstractAuthenticationPro import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices; import org.springframework.util.Assert; +import org.springframework.util.StringUtils; import org.springframework.web.filter.GenericFilterBean; import org.springframework.web.util.HtmlUtils; @@ -244,7 +245,8 @@ public class DefaultLoginPageGeneratingFilter extends GenericFilterBean { if (session != null) { AuthenticationException ex = (AuthenticationException) session .getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION); - errorMsg = (ex != null) ? ex.getMessage() : "Invalid credentials"; + errorMsg = (ex != null && StringUtils.hasLength(ex.getMessage())) ? ex.getMessage() + : "Invalid credentials"; } } String contextPath = request.getContextPath(); diff --git a/web/src/test/java/org/springframework/security/web/authentication/DefaultLoginPageGeneratingFilterTests.java b/web/src/test/java/org/springframework/security/web/authentication/DefaultLoginPageGeneratingFilterTests.java index 3e4fc05102..a67f933917 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/DefaultLoginPageGeneratingFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/DefaultLoginPageGeneratingFilterTests.java @@ -182,6 +182,20 @@ public class DefaultLoginPageGeneratingFilterTests { .contains("Google < > " ' &"); } // Fake OpenID filter (since it's not in this module + // gh-13768 + @Test + public void generatesWhenExceptionWithEmptyMessageThenInvalidCredentials() throws Exception { + DefaultLoginPageGeneratingFilter filter = new DefaultLoginPageGeneratingFilter( + new UsernamePasswordAuthenticationFilter()); + filter.setLoginPageUrl(DefaultLoginPageGeneratingFilter.DEFAULT_LOGIN_PAGE_URL); + MockHttpServletRequest request = new MockHttpServletRequest("GET", "/login"); + request.setQueryString("error"); + request.getSession().setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, new BadCredentialsException(null)); + MockHttpServletResponse response = new MockHttpServletResponse(); + filter.doFilter(request, response, this.chain); + assertThat(response.getContentAsString()).contains("Invalid credentials"); + } + @SuppressWarnings("unused") private static class MockProcessingFilter extends AbstractAuthenticationProcessingFilter {