Spring 安全自定义错误消息未显示

Question

I was using a tutorial on this link:

http://www.mkyong.com/spring-security/display-custom-error-message-in-spring-security/

To show a custom error message on login form and I got it at the beginning. But after declaring a authentication-failure-handler-ref="myAuthErrorHandler" for a custom failure authenticator handler I can't see it the custom message on the login form:

What I am doing wrong? Can anybody explain me what happen and why the ' Invalid username or password ' doesn't show?

Here's the code:

AuthentificationListener

public class AuthentificationListener implements AuthenticationFailureHandler {

@Override
public void onAuthenticationFailure(HttpServletRequest request,
        HttpServletResponse response, AuthenticationException ae)
        throws IOException, ServletException {

    UsernamePasswordAuthenticationToken user = (UsernamePasswordAuthenticationToken) ae
            .getAuthentication();


    /* User */


    response.sendRedirect(request.getContextPath()
            + "/abc/main/loginfailed");

}

}

applicationContext.xml:

    <bean id="myAuthErrorHandler" class="org.abc.handler.AuthentificationListener"/>

Spring Security:

    <http auto-config="true">
    <intercept-url pattern="/abc/main/welcome*" access="ROLE_USER" />
    <intercept-url pattern="/abc/main/record/**" access="ROLE_USER" />

    <form-login 

    login-page="/abc/main/login" 

    authentication-failure-handler-ref="myAuthErrorHandler" 

    default-target-url="/abc/main/welcome"

    />


    <logout logout-success-url="/abc/main/logout" />

</http>

login.jsp:

        <c:if test="${not empty error}">
        <div class="errorblock">
            Your login attempt was not successful, try again.<br /> Caused :
            ${sessionScope["SPRING_SECURITY_LAST_EXCEPTION"].message}
        </div>

    </c:if>

LoginController.java:

    @RequestMapping(value="/loginfailed", method = RequestMethod.GET)
public String loginerror(ModelMap model) {

    model.addAttribute("error", "true");
    return "login";

}

Update: To answer on Mani answer, I'm using a LoginController , which redirects loginfailed requests to login.jsp and is sending an ' error ' attribute with the ' true ' value. The problem is I can't see the message on the login.jsp using this expression:

${sessionScope["SPRING_SECURITY_LAST_EXCEPTION"].message}

Any Idea? Thank You very much!

Answer 1

On Failure of Authendication, you have asked to redirect to different Page.

 response.sendRedirect(request.getContextPath()
        + "/abc/main/loginfailed");

your loginfailed jsp not displayed ? it doesn't has div like errorblock in login page ? are you seeing different error in loginfailed.jsp ?

EDIT:

Ok I got it . Before authentication-failure-handler-ref="myAuthErrorHandler" Spring Handles the failure case and placed message in Session with the key SPRING_SECURITY_LAST_EXCEPTION .
After adding the failure handler ie
authentication-failure-handler-ref="myAuthErrorHandler"
You have to handle the error. You can set the message in session. or simply call the super.onAuthenticationFailure . Your handler is not doing anything !!!

Answer 2

<div style="color: red">
    Your login attempt was not successful, try again.<br /> Caused :
    ${sessionScope["SPRING_SECURITY_LAST_EXCEPTION"].message}
</div>

use this, remove form login.jsp

create a properties file name as

• mymessages.properties
• AbstractUserDetailsAuthenticationProvider.badCredentials=Invalid username or password

and save it and place into your project classpath

and add the the bean in your spring-contex.xml

<bean id="messageSource" class="org.springframework.context.support.ResourceBundleMessageSource">
    <property name="basenames">
        <list>
            <value>mymessages</value>
        </list>
    </property>
</bean>