SPRING_SECURITY_LAST_EXCEPTION in Spring Security 3.0.3 not set

[J Ball]

I just upgraded from Spring Security 3.0.2 to 3.0.3. Everything seemed to work fine except when a login exception occurred (e.g. BadCredentials). Reverting back to 3.0.2 fixed the problem.

Here is code in the I use to display the login error message:

Code:

<c:if test="${!empty SPRING_SECURITY_LAST_EXCEPTION}">
	<p class="error"><c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message}"/></p>
	<c:remove scope="session" var="SPRING_SECURITY_LAST_EXCEPTION"/>
</c:if>

[J Ball]

Can anyone understand why this would work in Spring Security 3.0.2 but not 3.0.3? Thanks.

[pmularien]

I attempted to reproduce this with Spr Sec 3.0.3 vs 3.0.0 and it works fine with both. Are you sure that something else didn't change for you, such as web app version, servlet container, etc?

[J Ball]

Nothing else changed other than updating the following jars with 3.0.3. When I put the 3.0.2 jars back it worked fine. I debugged into the code and saw the exception but it was never set on request.

spring-security-acl-3.0.2.jar
spring-security-config-3.0.2.jar
spring-security-core-3.0.2.jar
spring-security-taglibs-3.0.2.jar
spring-security-web-3.0.2.jar

[pmularien]

Maybe there's something in your configuration that differs from mine, then. Can you post your Spring Sec configuration file?

[J Ball]

Sure, here is my security config.

Code:

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:p="http://www.springframework.org/schema/p"
       xmlns:sec="http://www.springframework.org/schema/security"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <sec:global-method-security secured-annotations="enabled"/>

    <sec:http entry-point-ref="myAuthenticationEntryPoint" auto-config="false" path-type="ant">
        <!-- Restrict URLs based on role -->
        <sec:intercept-url pattern="/boutique" access="ROLE_NONE"/>
        <sec:intercept-url pattern="/boutique/" access="ROLE_NONE"/>
        <sec:intercept-url pattern="/myaccount/**" access="ROLE_USER" requires-channel="https"/>
        <sec:intercept-url pattern="/styles/**" access="IS_AUTHENTICATED_ANONYMOUSLY" requires-channel="any"/>
        <sec:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" requires-channel="http"/>
        <sec:port-mappings>
            <sec:port-mapping http="80" https="443"/>
        </sec:port-mappings>
        <sec:anonymous key="anonymous" granted-authority="ROLE_ANONYMOUS" username="anonymous"/>
        <sec:custom-filter position="BASIC_AUTH_FILTER" ref="myAuthenticationProcessingFilter"/>
        <sec:custom-filter position="LOGOUT_FILTER" ref="logoutFilter"/>
    </sec:http>

    <sec:authentication-manager alias="authenticationManager">
    	<sec:authentication-provider ref="daoAuthenticationProvider"/>
    	<sec:authentication-provider ref="anonymousAuthenticationProvider"/>
    </sec:authentication-manager>

    <bean id="myLogoutHandler"
          class="org.mycommerce.profile.web.security.MyLogoutHandler"/>

	<bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
        <constructor-arg value="/welcome.htm"/>
        <constructor-arg>
            <list>
                <ref bean="myLogoutHandler"/>
            </list>
        </constructor-arg>
        <property name="filterProcessesUrl" value="/logout"/>
    </bean>

    <!-- Custom login filter which replaces the default AUTHENTICATION_PROCESSING_FILTER -->
    <bean id="myAuthenticationProcessingFilter"
          class="com.mystore.web.profile.security.MyAuthenticationProcessingFilter">
        <property name="authenticationManager" ref="authenticationManager"/>
        <property name="filterProcessesUrl" value="/loginProcess"/>
        <property name="allowSessionCreation" value="true"/>
        <property name="authenticationSuccessHandler" ref="myAuthenticationSuccessHandler"/>
        <property name="authenticationFailureHandler" ref="myAuthenticationFailureHandler"/>
    </bean>

    <bean id="myAuthenticationFailureHandler"
    	class="org.mycommerce.profile.web.security.MyAuthenticationFailureHandler">
    	<constructor-arg value="/profile/login.htm"/>
    	<property name="redirectStrategy" ref="redirectStrategy"/>
    </bean>

    <bean id="myAuthenticationSuccessHandler"
    	class="org.mycommerce.profile.web.security.MyAuthenticationSuccessHandler">
    	<property name="defaultTargetUrl" value="/welcome.htm"/>
    	<property name="passwordChangeUri" value="/myaccount/myprofile.htm"/>
    	<property name="redirectStrategy" ref="redirectStrategy"/>
    </bean>

    <!-- My authentication entry point, can be replaced easily if we are doing custom commence of invalid auths. -->
    <bean id="myAuthenticationEntryPoint"
          class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
        <property name="loginFormUrl" value="/profile/login.htm"/>
        <property name="forceHttps" value="false"/>
    </bean>

    <bean id="redirectStrategy" class="org.mycommerce.profile.web.security.LocalRedirectStrategy"/>

    <bean id="anonymousAuthenticationProvider"
          class="org.springframework.security.authentication.AnonymousAuthenticationProvider">
        <property name="key" value="anonymous"/>
    </bean>

    <bean id="daoAuthenticationProvider"
          class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
        <property name="userDetailsService" ref="myUserDetailsService"/>
        <property name="passwordEncoder" ref="passwordEncoder"/>
        <property name="forcePrincipalAsString" value="true"/>
    </bean>

    <bean id="messageSource"
          class="org.springframework.context.support.ReloadableResourceBundleMessageSource">
        <property name="cacheSeconds" value="1"/>
        <property name="basename" value="WEB-INF/messages/security"/>
    </bean>

</beans>

[J Ball]

Any ideas on how to debug why the SPRING_SECURITY_LAST_EXCEPTION isn't making it back to the page?

[Luke Taylor]

You're probably hitting this issue:

https://jira.springsource.org/browse/SEC-1429

The logic has been moved to the default AuthenticationFailurehandler, so if you are using a custom one which doesn't extend SimpleUrlAuthenticationFailureHandler, you'll need to save it yourself.

[J Ball]

I do have a custom FailureHandler that extends SimpleUrlAuthenticationFailureHandler to go to custom failure urls. This does not work in Spring Security 3.0.3 but it does work in 3.0.2.

Code:

    @Override
    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
        String failureUrlParam = StringUtil.cleanseUrlString(request.getParameter("failureUrl"));
        String successUrlParam = StringUtil.cleanseUrlString(request.getParameter("successUrl"));
        String failureUrl = StringUtils.trimToNull(failureUrlParam);
        if (failureUrl == null) {
            failureUrl = StringUtils.trimToNull(defaultFailureUrl);
        }
        if (failureUrl != null) {
            if (StringUtils.isNotEmpty(successUrlParam)) {
                if (!failureUrl.contains("?")) {
                    failureUrl += "?successUrl=" + successUrlParam;
                } else {
                    failureUrl += "&successUrl=" + successUrlParam;
                }
            }
            getRedirectStrategy().sendRedirect(request, response, failureUrl);
        } else {
            super.onAuthenticationFailure(request, response, exception);
        }
    }

Also, it would certainly be helpful if these fields were made protected in SimpleUrlAuthenticationFailureHandler for those, like me, that need to extend the functionality.

Code:

    private String defaultFailureUrl;
    private boolean forwardToDestination = false;

[pmularien]

This is set in the session in AbstractAuthenticationProcessingFilter. My guess is that something is clearing or destroying the session after your login attempt. Since you seem to have a lot of custom filters and AuthenticationEntryPoint, it's going to be hard to determine where the issue is, but I've confirmed that with a straight, uncustomized 3.0.3 setup, what you describe works fine.

Hope that helps?