how to display custom error message in jsp for spring security auth exception

Question

I want to display custom error message in jsp for spring security authentication exceptions.

For wrong username or password,

spring displays : Bad credentials
what I need     : Username/Password entered is incorrect.

For user is disabled,

spring displays : User is disabled
what I need     : Your account is diabled, please contact administrator.

Do I need to override AuthenticationProcessingFilter just for this ? or else can I do something in jsp itself to find the authentication exception key and display different message

Answer 1

Redefine the properties in messages.properties inside spring security jar. For example add to the classpath myMessages.properties and add a message source to the context:

AbstractUserDetailsAuthenticationProvider.badCredentials=Username/Password entered is incorrect.
AbstractUserDetailsAuthenticationProvider.disabled=Your account is diabled, please contact administrator.

At Salvin Francis:

1. Add myMessages.properties to the WAR file inside WEB-INF/classes.
2. Add this bean to spring context config file

Message Source Bean

<bean id="messageSource"   
    class="org.springframework.context.support.ResourceBundleMessageSource">  
    <property name="basenames">  
        <list>
            <value>myMessages</value>
        </list>
    </property>
</bean>

Answer 2

After adding the "messageSource" bean, I had problems to get the Error Message work with the CookieLocaleResolver because the DispatcherServlet (which does use this for your application automatically) is invoked after the Security. See: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#localization

My Solution was a custom Filter which sets the LocalContextHolder:

public class LocaleContextFilter extends OncePerRequestFilter {
    private LocaleResolver localeResolver;
    public void setLocaleResolver(LocaleResolver localeResolver) {
        this.localeResolver = localeResolver;
    }
    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
            FilterChain filterChain) throws ServletException, IOException {
        // store Local into ThreadLocale
        if (this.localeResolver != null) {
            final Locale locale = this.localeResolver.resolveLocale(request);
            LocaleContextHolder.setLocale(locale);
        }
        try {
            filterChain.doFilter(request, response);
        } finally {
            LocaleContextHolder.resetLocaleContext();
        }
    }
}

And the Spring Security Context configuration:

  <http use-expressions="true">
    <custom-filter ref="localeContextFilter" after="FIRST" />
    .....
  </http>
  <beans:bean id="localeContextFilter" class="at.telekom.ppp.util.opce.fe.interceptor.LocaleContextFilter" >
    <beans:property name="localeResolver" ref="localeResolver" /><!-- e.g.: CookieLocaleResolver -->
  </beans:bean>

I hope this helps others which has this problem.

Answer 3

Here is a JSP EL fix for this. More of a hack than an elegant solution, but gets the job done quick and dirty. Caveat- this is not i18n safe! Only English.

This requires the functions tag library:

<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>

And the replace code:

${fn:replace(SPRING_SECURITY_LAST_EXCEPTION.message, 'Bad credentials', 'Username/Password are incorrect')}

Answer 4

I am new to spring, but try this at the server:

throw new BadCredentialsException("This is my custom message !!");

Of course you need a class that is an authentication provider for this to work.