Spring security not displaying error messages

Question

im having a problem displaying a spring error message if the login credentials are invalid. when i try to login with the wrong user name or password, it just reloads the the login page but no error message is shown. root-context.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:cloud="http://schema.cloudfoundry.org/spring"
xmlns:jdbc="http://www.springframework.org/schema/jdbc"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/jdbc   http://www.springframework.org/schema/jdbc/spring-jdbc-3.1.xsd
http://schema.cloudfoundry.org/spring http://schema.cloudfoundry.org/spring/cloudfoundry-spring-0.7.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.1.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd">

<context:property-placeholder location="classpath:config.properties" /> 
<!-- Register the Customer.properties -->
<bean id="messageSource"
class="org.springframework.context.support.ResourceBundleMessageSource">
<property name="basenames">
<list>
<value>mymessages</value>
</list>
</property>
</bean>
<bean id="jdbcTemplate" class="org.springframework.jdbc.core.JdbcTemplate">  
<property name="dataSource" ref="dataSource"></property>    
</bean>   
<!-- Initialization for data source -->
<bean id="dataSource" 
  class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName" value="${database.driver}" />
<property name="url" value="${database.url}" />
<property name="username" value="${database.user}" />
<property name="password" value="${database.password}" />
</bean> 



<!-- Spring Security -->
<!-- No security for resources directory logout-url="/j_spring_security_logout" -->
<security:http pattern="/resources/**" security="none" auto-config='false'/>
<!-- REST services are secured with Basic Auth -->
<security:http auto-config='true'>
<security:intercept-url pattern="/Admin" access="ROLE_ADMIN" />
<security:access-denied-handler error-page="/accessdenied"/>
<security:intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" /><!-- allows all user to access the login page -->
<security:intercept-url pattern="/**" access="ROLE_USER, ROLE_ADMIN" /><!-- makes all pages secured requiring the roll ROLL_USER  to access them -->
<security:form-login login-page='/login' default-target-url="/" always-use-default-target='true' 
authentication-failure-url="/loginfailed"/><!--supplying my own login form/page-->
<security:logout logout-success-url="/" logout-url="/j_spring_security_logout"/>
</security:http>

<security:authentication-manager>
<security:authentication-provider>
<security:jdbc-user-service 
data-source-ref="dataSource"
users-by-username-query="SELECT USERNAME, PASSWORD, ENABLED FROM TrainAppDB.dbo.tbl_Users WHERE USERNAME=?"
authorities-by-username-query="SELECT u.USERNAME, ur.AUTHORITY FROM TrainAppDB.dbo.tbl_Users u, TrainAppDB.dbo.tbl_UserRoles ur WHERE u.USER_ID = ur.USER_ID AND u.USERNAME=?"/>
</security:authentication-provider>
</security:authentication-manager>

<context:component-scan base-package="com.billy"/> 

</beans>

i have also tried

<security:http auto-config='true'>
<security:intercept-url pattern="/Admin" access="ROLE_ADMIN" />
<security:access-denied-handler error-page="/accessdenied"/>
<security:intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/**" access="ROLE_USER, ROLE_ADMIN" />
<security:form-login login-page='/login' default-target-url="/"authentication-failure-url="/loginfailed"/>
<security:logout logout-success-url="/" logout-url="/j_spring_security_logout"/>
</security:http>

login controller

@Controller
public class LoginController extends BaseController{

@RequestMapping(value="/", method = RequestMethod.GET)
public String printWelcome(ModelMap model, Principal principal ) {

String name = principal.getName();
model.addAttribute("username", name);
model.addAttribute("message", "Spring Security Custom Form example");
return "home";
}

@RequestMapping(value = "/login", method = RequestMethod.GET)
public String home(Model model) 
{
return "login";
}

@RequestMapping(value = "/loginfailed", method = RequestMethod.GET)
public String home2(Model model) 
{
model.addAttribute("error", "true");
return "login";
}

@RequestMapping(value="/logout", method = RequestMethod.GET)
public String logout(ModelMap model) {

return "login";

}

}

And finally my login.jsp

<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c"%>
<%@ page session="true"%>
<%@ include file="include/head.jsp"%>
<body>
<%@ include file="include/login1.jsp"%>

<c:if test="${not empty error}">
<div class="errorblock">
Your login attempt was not successful, try again.<br /> Caused :
${sessionScope["SPRING_SECURITY_LAST_EXCEPTION"].message}
</div>
</c:if>

</body>
</html>

Answer 1

spring security sends a redirect in case of a authentication failure => the SPRING_SECURITY_LAST_EXCEPTION request attribute is no longer available in your /loginfailed handler since it's a new request.

but spring adds the error parameter containing the message to the redirect. you could also implement a custom AuthenticatinoFailureHandler

SimpleUrlAuthenticationFailureHandler