Spring Security
  1. Spring Security
  2. SEC-1429

AuthenticationFailureHandler should be responsible for caching exception, not AbstractAuthenticationFilter

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.0.3, 3.1.0.M1
    • Component/s: Web
    • Labels:
      None

      Description

      The logic should be moved to the default failure handler. If using a forward to the failure URL, it should use "request" scope, rather than storing the exception in the session. We want to avoid creating session unnecessarily and avoid polluting the session. Any authentication-relate session data should also be cleared up after a successful authentication.

        Activity

        Hide
        Luke Taylor added a comment -

        The AuthenticationFailureHandler is now responsible for storing the AuthenticationException to make it available to an error page. It will use request scope if configured to use a forward instead of a redirect. People using custom implementations should be aware that the exception may not be available unless they store it themselves.

        The common session and request attribute key constants related to this functionality have been moved to the WebAttributes class and the original values deprecated.

        The default AuthenticationSuccessHandler implementations will now clear this failure-related information from the session when they are invoked.

        Show
        Luke Taylor added a comment - The AuthenticationFailureHandler is now responsible for storing the AuthenticationException to make it available to an error page. It will use request scope if configured to use a forward instead of a redirect. People using custom implementations should be aware that the exception may not be available unless they store it themselves. The common session and request attribute key constants related to this functionality have been moved to the WebAttributes class and the original values deprecated. The default AuthenticationSuccessHandler implementations will now clear this failure-related information from the session when they are invoked.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Luke Taylor
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: