SPRING_SECURITY_LAST_USERNAME not available when allowSessionCreation = "false"

[barrypitman]

Hi,

I am using Spring security in a relatively simple web application. On unsuccessful authentication, I'd like to pre-populate the username field.

I'm able to achieve this is if I allow session creation, however I'd like to do it without creating extra sessions. I'm able to show the SPRING_SECURITY_LAST_EXCEPTION without creating a session, but SPRING_SECURITY_LAST_USERNAME is only stored in the session scope.

Here is my authentication handler:

Code:

 
<beans:bean id="failureHandler"
                class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
        <beans:property name="allowSessionCreation" value="false"/>
        <beans:property name="defaultFailureUrl" value="/index.html?login_error"/>
        <beans:property name="useForward" value="true"/>
    </beans:bean>

Is there any particular reason that the SPRING_SECURITY_LAST_USERNAME is only stored in session scope? The SPRING_SECURITY_LAST_EXCEPTION is stored in session or request scope depending on the useForward property, i.e. from SimpleUrlAuthenticationFailureHandler:

Code:

protected final void saveException(HttpServletRequest request, AuthenticationException exception) {
        if (forwardToDestination) {
            request.setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, exception);
        } else {
            HttpSession session = request.getSession(false);

            if (session != null || allowSessionCreation) {
                request.getSession().setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, exception);
            }
        }
    }

Obviously I can extend SimpleUrlAuthenticationFailureHandler myself, I was just wondering why this isn't done automatically by spring security?

Thanks!

[barrypitman]

OK, answered this one myself after a little more time:

as a workaround, one can simple use ${SPRING_SECURITY_LAST_EXCEPTION.authentication.pr incipal} to re-render the last username instead of ${SPRING_SECURITY_LAST_USERNAME}, as SPRING_SECURITY_LAST_EXCEPTION is an instance of org.springframework.security.core.AuthenticationEx ception

[mycommunityman]

Hello,

Please, anyone has facing migration code from spring 2 to spring 3 with security part ?
For instance, how to migrate from spring 2 code following :

<bean id="formAuthenticationProcessingFilter"
class="org.springframework.security.web.authentica tion.AuthenticationProcessingFilter">
<property name="authenticationManager">
<ref bean="authenticationManager" />
</property>
<property name="authenticationFailureUrl">
<value>/login.do?error=true</value>
</property>
<property name="exceptionMappings">
<props>
<prop
key="org.springframework.security.authentication.L ockedException">
/login.do?error=locked
</prop>
<prop
key="fr.gouv.defense.terre.dccat.louvois.gestionna ire.impl.habilitation.exception.UtilisateurNonTrou veException">
/login.do?error=user
</prop>
<prop
key="fr.gouv.defense.terre.dccat.louvois.gestionna ire.impl.habilitation.exception.DonneesInsuffisant eException">
/login.do?error=donnees
</prop>
<prop
key="org.acegisecurity.concurrent.ConcurrentLoginE xception">
/login.do?error=concurrent
</prop>
</props>
</property>
<property name="defaultTargetUrl">
<value>/verifyPremiereConnexion.do</value>
</property>
<property name="filterProcessesUrl">
<value>/verifylogin</value>
</property>
</bean>

to spring 3 ?

AuthenticationProcessingFilter (or even UsernamePasswordAuthenticationFilter) is deprecated and is completely different.

Thank you.

Faithfully

[barrypitman]

I suggest you start a new thread for a new question.