How to handle exceptions thrown by Spring Security

[valeri_k]

I am using Spring Security for a project but I need to figure out how to display a custom message if the user's
account is disabled.

Currently when authentication fails I can only see the a boolean value that indicates if the authentication worked or failed.
Is there a way to get more details eg .. the authentication passed but the account is locked.

I have provided our configuration details below.


My login Controller:

Code:

@RequestMapping("/auth")
public class LoginController {

	@RequestMapping(value = "/login", method = RequestMethod.GET)
	public String getLoginPage(@RequestParam(value="error", required=false) boolean error,
			ModelMap model) {
		
		if (error == true) {

			//HOW DO I PROVIDE A CUSTOM ERROR MESSAGE?
			model.put("error", "You have entered an invalid username or password!");
		}

The following entries have been added to pplication web.xml:

Code:

	
<context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>
			/WEB-INF/spring/root-context.xml
			/WEB-INF/spring/spring-security.xml
		</param-value>
	</context-param>

	<!-- Create the Spring security filter -->
	<filter>
		<filter-name>springSecurityFilterChain</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
	</filter>

	<filter-mapping>
		<filter-name>springSecurityFilterChain</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

the spring-security.xml:

Code:

<security:form-login
				login-page="/auth/login" 
				authentication-failure-url="/auth/login?error=true" 
				default-target-url="/dashboard"/>
			
		<security:logout 
				invalidate-session="true" 
				logout-success-url="/auth/login" 
				logout-url="/auth/logout"/>
	
	</security:http>
	
	<!-- Declare an authentication-manager to use a custom userDetailsService -->
	<security:authentication-manager>
	        <security:authentication-provider user-service-ref="loginService">
	        </security:authentication-provider>
	</security:authentication-manager>

	<!-- A custom service where Spring will retrieve users and their corresponding access levels  -->
	<bean id="loginService" class="com.xxx.myapp.security.LoginService"/>

-----------------------

Our custom LoginService class

Code:

public class LoginService implements UserDetailsService {

public UserDetails loadUserByUsername(String email) throws UsernameNotFoundException, DataAccessException {

		// Declare a null Spring User
		UserAuthorization user = null;

		try {

			com.my.User dbUser = userDao.findByEmail(email);


			user = new UserAuthorization(dbUser.getUserEmail(), dbUser.getName(), dbUser
					.getPassword().toLowerCase(), true, true, true, true,
					getAuthorities(dbUser.getRole()));
		} catch (Exception e) {
			throw new UsernameNotFoundException("Error in retrieving user");
		}

		return user;
	}

	public Collection<GrantedAuthority> getAuthorities(String role) {
                          .... 
		// Return list of granted authorities
		return authList;
	}

}

Please let me know if you need any more information

Thanks in advance

[Rob Winch]

By default Spring Security will store the last exception in session with the attribute SPRING_SECURITY_LAST_EXCEPTION. Take a look at the sample applications (i.e. the contacts sample) if you would like an example of how to use this.

[valeri_k]

Thanks a lot! That is what I was looking for ...

[Farahallen]

helpful post ..thanks

[steroid81]

Is it possible to check user status on every request, and store Exception to session by default? I see it possible only during authentication. Could you help me, p