0

I'm using Spring MVC and Spring Security on a project, and am implementing a login form with it. I've run into a sort of strange behaviour, which I wouldn't expect, and I was wondering if there is a way to avoid it.

When there is an authentication error on the login form, I have a method in my controller to handle it:

@RequestMapping(value="/failed", method = RequestMethod.GET)
public String showLoginFailurePage(Model model, HttpServletRequest request) {
    String authExClass = "";
    AuthenticationException authEx = (AuthenticationException) request.getSession().getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION);

    if (authEx != null) {
      authExClass = authEx.getClass().getSimpleName();
    }
    model.addAttribute("authExClass", authExClass);
    return LOGIN_PAGE;
  }

This works initially, allowing me to display an error when an authentication error occurs. However, if I refresh the page, I would expect that the AuthenticationException would no longer be attached to the session, and thus I wouldn't display an error to the user. However, it seems that the exception persists beyond a refresh. Do I have an incorrect assumption? Should I not be using my request object this way?

Thanks! idbentley

Improve this question

1 Answer 1

Reset to default
3

Well, does any code clear the AUTHENTICATION_EXCEPTION from the Session? Spring Security may not automatically clear this from the session until an another authorization attempt is successful - I think you are assuming that this session attribute is automatically removed.

You may want to clear this attribute from the session yourself to not display it again.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.