diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java index 0043a8e9a9..4a3e8e4eb5 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java @@ -33,6 +33,7 @@ import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.context.DelegatingApplicationListener; import org.springframework.security.core.session.SessionRegistry; import org.springframework.security.core.session.SessionRegistryImpl; +import org.springframework.security.web.authentication.AuthenticationFailureHandler; import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler; import org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy; import org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy; @@ -108,6 +109,7 @@ public final class SessionManagementConfigurer> private boolean enableSessionUrlRewriting; private String invalidSessionUrl; private String sessionAuthenticationErrorUrl; + private AuthenticationFailureHandler sessionAuthenticationFailureHandler; /** * Creates a new instance @@ -161,6 +163,22 @@ public final class SessionManagementConfigurer> return this; } + /** + * Defines the {@code AuthenticationFailureHandler} which will be used when the + * SessionAuthenticationStrategy raises an exception. If not set, an unauthorized + * (402) error code will be returned to the client. Note that this attribute doesn't + * apply if the error occurs during a form-based login, where the URL for + * authentication failure will take precedence. + * + * @param sessionAuthenticationFailureHandler the handler to use + * @return the {@link SessionManagementConfigurer} for further customization + */ + public SessionManagementConfigurer sessionAuthenticationFailureHandler( + AuthenticationFailureHandler sessionAuthenticationFailureHandler) { + this.sessionAuthenticationFailureHandler = sessionAuthenticationFailureHandler; + return this; + } + /** * If set to true, allows HTTP sessions to be rewritten in the URLs when using * {@link HttpServletResponse#encodeRedirectURL(String)} or @@ -439,6 +457,10 @@ public final class SessionManagementConfigurer> if (strategy != null) { sessionManagementFilter.setInvalidSessionStrategy(strategy); } + AuthenticationFailureHandler failureHandler = getSessionAuthenticationFailureHandler(); + if (failureHandler != null) { + sessionManagementFilter.setAuthenticationFailureHandler(failureHandler); + } AuthenticationTrustResolver trustResolver = http .getSharedObject(AuthenticationTrustResolver.class); if (trustResolver != null) { @@ -473,6 +495,13 @@ public final class SessionManagementConfigurer> this.invalidSessionStrategy = new SimpleRedirectInvalidSessionStrategy( this.invalidSessionUrl); } + if (this.invalidSessionUrl == null) { + return null; + } + if (this.invalidSessionStrategy == null) { + this.invalidSessionStrategy = new SimpleRedirectInvalidSessionStrategy( + this.invalidSessionUrl); + } return this.invalidSessionStrategy; } @@ -492,6 +521,22 @@ public final class SessionManagementConfigurer> return this.expiredSessionStrategy; } + AuthenticationFailureHandler getSessionAuthenticationFailureHandler() { + if (this.sessionAuthenticationFailureHandler != null) { + return this.sessionAuthenticationFailureHandler; + } + + if (this.sessionAuthenticationErrorUrl == null) { + return null; + } + + if (this.sessionAuthenticationFailureHandler == null) { + this.sessionAuthenticationFailureHandler = new SimpleUrlAuthenticationFailureHandler( + this.sessionAuthenticationErrorUrl); + } + return this.sessionAuthenticationFailureHandler; + } + /** * Gets the {@link SessionCreationPolicy}. Can not be null. * @return the {@link SessionCreationPolicy}