Problem getting form:errors tag to show errors in my custom login page

[springr]

I have a problem getting form:errors tag to work with my custom login page. It doesn't show any errors, but I do see the SPRING_SECURITY_LAST_EXCEPTION attribute populated in the session.
It does work (display error message) if I use Spring's default login-page.
I use Spring secutity 2.0.4 and spring 2.5.2.

I'm going crazy already after several days of struggling with this, please someone help!

-----------------------------------------------
My web.xml (security section):

Code:

   <filter>
      <filter-name>springSecurityFilterChain</filter-name>
      <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
   </filter>   
   <filter-mapping>
      <filter-name>springSecurityFilterChain</filter-name>
      <url-pattern>/*</url-pattern>
   </filter-mapping>

-----------------------------------------------
My Spring context config file extract:

Code:

	<bean id="beanNameUrlMapping" class="org.springframework.web.servlet.handler.BeanNameUrlHandlerMapping"/>
	<bean name="/accessDenied.htm" class="org.springframework.web.servlet.mvc.UrlFilenameViewController"/>		
	<bean name="/login.htm" class="org.springframework.web.servlet.mvc.UrlFilenameViewController"/>

Code:

	<!--  Security  -->
	<security:http auto-config="true" access-denied-page="/accessDenied.htm">	
		<security:intercept-url pattern="/login.htm*" filters="none"/>
		<security:intercept-url pattern="/*.htm" access="ROLE_USER" />
		<security:form-login login-page="/login.htm" default-target-url="/home.htm" authentication-failure-url="/login.htm?login_error=1"/>
		<security:logout logout-success-url="/home.htm"/>		
	</security:http>

Code:

	
	<security:authentication-provider>
	   <security:user-service properties="">	   	  
	      <security:user name="admin" password="secret" authorities="ROLE_USER,ADMIN_RIGHTS" />
	      <security:user name="user" password="secret" authorities="ROLE_USER" />
	   </security:user-service>
	</security:authentication-provider>

-----------------------------------------------

My JSP:

Version one (causes IllegalStateException):

Code:

	<form:form id="aform" action="j_spring_security_check" method="post">		
			<form:errors cssClass="error"/>
			<p>
				<form:label path="j_username" cssClass="label">User:</form:label>
				<form:input path="j_username" id="userid" />
			</p>
			<p>
				<form:label path="j_password" cssClass="label">Password:</form:label>
				<form:password path="j_password" id="userid" />
			</p>
			<input type="submit" id="submit" value="Sign In" />	
	</form:form>

Code:

java.lang.IllegalStateException: Neither BindingResult nor plain target object for bean name 'command' available as request attribute
	at org.springframework.web.servlet.support.BindStatus.<init>(BindStatus.java:143)
	at org.springframework.web.servlet.tags.form.AbstractDataBoundFormElementTag.getBindStatus(AbstractDataBoundFormElementTag.java:171)
	at org.springframework.web.servlet.tags.form.AbstractDataBoundFormElementTag.getPropertyPath(AbstractDataBoundFormElementTag.java:191)
	at org.springframework.web.servlet.tags.form.LabelTag.resolveFor(LabelTag.java:114)
	at org.springframework.web.servlet.tags.form.LabelTag.writeTagContent(LabelTag.java:88)
	at org.springframework.web.servlet.tags.form.AbstractFormTag.doStartTagInternal(AbstractFormTag.java:90)
	at org.springframework.web.servlet.tags.RequestContextAwareTag.doStartTag(RequestContextAwareTag.java:77)
	at org.apache.jsp.WEB_002dINF.jsp.login_jsp._jspx_meth_form_label_0(org.apache.jsp.WEB_002dINF.jsp.login_jsp:286)
	at org.apache.jsp.WEB_002dINF.jsp.login_jsp._jspService(org.apache.jsp.WEB_002dINF.jsp.login_jsp:159)
	at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:93)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
	at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:373)
	at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:470)
	at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:364)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
	at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:502)
	at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:363)

-----------------------------------------------
Version two (does not cause exceptions, but never shows errors):

Code:

		<form id="aform" action="j_spring_security_check" method="post">
			<form:errors path="*" cssClass="error"/>
			<p>
				<label for="j_username" class="label">User:</label>
				<input type="text" name="j_username" id="userid" />
			</p>		
			<p>
				<label for="j_password" class="label">Password:</label>
				<input type="password" name="j_password" id="userid"/>
			</p>		
				<input type="submit" id="submit" value="Sign In"/>		
		</form>

-----------------------------------------------
HTTP Session does have the attribute populated when wrong id+password submitted:
SPRING_SECURITY_LAST_EXCEPTION=org.springframework .security.BadCredentialsException: Bad credentials(org.springframework.security.BadCreden tialsException)

And this code shows the error on the page:

Code:

<%    boolean loginError = request.getParameter("login_error") != null;
    String errorMsg = "none";

    if (loginError) {
        if(session != null) {
        	AuthenticationException ex = (AuthenticationException) session.getAttribute(AbstractProcessingFilter.SPRING_SECURITY_LAST_EXCEPTION_KEY);
            errorMsg = ex != null ? ex.getMessage() : "none";
			out.println("<b>Login Error:"+ex+"</b>");
        }
    }
%>

but form:errors tag never does.


How can I make form:errors work for my login form?

[Marten Deinum]

The form tags only work when you use a Controller or Webflow and have a command object/form backing object. You don't have that with Spring Security there are only the 2 parameters no more no less. So you will not get the form:errors nor any of the form tags to work.

[springr]

Thanks Marten,

I tried using a login controller (I extended AbstractCommandController), but the same result - no error messages. Should I extend any other controller, more suitable for this situation? Do I need to write a validator for this simple scenario?

By the way, why does default Spring login-page show error messages, even without controller?

Thanks again!

[Marten Deinum]

You can make whatever controller you like but afterwards it is ignored. The login procedure is handled by the Spring Security FilterChain no Controller comes into play.

The default login shows an error because it prints out the errormessage available in the request attribute you mentioned earlier (exception.getMessage()).