Cleared security context due to UsernameNotFoundException
Greetings,
I'm new in the Spring world and I'm having a hard time to get the grasp on the Acegi security features. After taking some time to understand the pre-authentication APIs, I was able to extend the PreAuthenticatedProcessingFilter class to customize it to my needs.
However, I have a doubt, when the credential is not valid, because the username doesn't exists, I'm throwing the UserNameNotFoundException, but what I see in the logs is "Cleared security context due to exception UsernameNotFoundException" and then the page is shown to the now unauthenticated customer.
I would have assumed that it would actually do a 403 - Access Denied. Here's my Application-Context, any help is highly appreciated.
Code:<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd"> <global-method-security secured-annotations="enabled"> </global-method-security> <security:http auto-config="false" entry-point-ref="preAuthenticatedProcessingFilterEntryPoint" access-denied-page="/AccessDenied.htm" once-per-request="false"> <security:intercept-url pattern="/AccessDenied.htm" filters="none" /> <security:intercept-url pattern="/**" access="ROLE_PAYER" /> <security:concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true" /> <security:anonymous /> <security:logout /> </security:http> <beans:import resource="classpath:common-beans.xml" /> <beans:bean id="preAuthenticatedProcessingFilterEntryPoint" class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint" /> <beans:bean id="siteMinderFilter" class="com.acme.something.security.RequestQueryStringPreAuthenticatedProcessingFilter"> <security:custom-filter position="PRE_AUTH_FILTER" /> <beans:property name="principalRequestQueryString" value="PP_USER" /> <beans:property name="authenticationManager" ref="authenticationManager" /> </beans:bean> <beans:bean id="preauthAuthProvider" class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider"> <security:custom-authentication-provider /> <!-- <beans:property name="throwExceptionWhenTokenRejected" value="true" /> --> <beans:property name="preAuthenticatedUserDetailsService"> <beans:bean id="userDetailsServiceWrapper" class="org.springframework.security.userdetails.UserDetailsByNameServiceWrapper"> <beans:property name="userDetailsService" ref="userDetailsService" /> </beans:bean> </beans:property> </beans:bean> <beans:bean id="userDetailsService" class="com.acme.something.security.PowerPayUserDetailsService"> <beans:property name="payerDao" ref="payerDao" /> </beans:bean> <security:authentication-manager alias="authenticationManager" /> </beans:beans>
