Merge branch '6.0.x' into 6.1.x

Closes gh-14117
This commit is contained in:
Josh Cummings 2023-11-07 17:32:51 -07:00
commit bcef8f98aa
No known key found for this signature in database
GPG Key ID: A306A51F43B8E5A5
2 changed files with 25 additions and 4 deletions

View File

@ -35,6 +35,7 @@ import org.springframework.security.web.WebAttributes;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import org.springframework.web.filter.GenericFilterBean;
import org.springframework.web.util.HtmlUtils;
@ -266,11 +267,17 @@ public class DefaultLoginPageGeneratingFilter extends GenericFilterBean {
private String getLoginErrorMessage(HttpServletRequest request) {
HttpSession session = request.getSession(false);
if (session != null && session
.getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION) instanceof AuthenticationException exception) {
return exception.getMessage();
if (session == null) {
return "Invalid credentials";
}
return "Invalid credentials";
if (!(session
.getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION) instanceof AuthenticationException exception)) {
return "Invalid credentials";
}
if (!StringUtils.hasText(exception.getMessage())) {
return "Invalid credentials";
}
return exception.getMessage();
}
private String renderHiddenInputs(HttpServletRequest request) {

View File

@ -171,4 +171,18 @@ public class DefaultLoginPageGeneratingFilterTests {
.contains("<a href=\"/saml/sso/google\">Google &lt; &gt; &quot; &#39; &amp;</a>");
}
// gh-13768
@Test
public void generatesWhenExceptionWithEmptyMessageThenInvalidCredentials() throws Exception {
DefaultLoginPageGeneratingFilter filter = new DefaultLoginPageGeneratingFilter(
new UsernamePasswordAuthenticationFilter());
filter.setLoginPageUrl(DefaultLoginPageGeneratingFilter.DEFAULT_LOGIN_PAGE_URL);
MockHttpServletRequest request = new MockHttpServletRequest("GET", "/login");
request.setQueryString("error");
request.getSession().setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, new BadCredentialsException(null));
MockHttpServletResponse response = new MockHttpServletResponse();
filter.doFilter(request, response, this.chain);
assertThat(response.getContentAsString()).contains("Invalid credentials");
}
}