Spring AuthenticationFailureHandler and WebSecurityConfigurerAdapter loginPage ()
Edit: Solved. View my comment after this post
I am currently implementing a web application with Spring-Security. I have implemented a custom AuthenticationFailureHandler
one that checks if the user has tried to log in too often with the wrong credentials (and blocks it for server minutes). But normal failed logins should redirect the user to the login page with a parameter error ( /login?error
). This page displays an error message "The password you entered incorrectly"
AutenticationFailureHandler
looks like this (without uninteresting linse code)
public class CustomAuthenticationHandler implements AuthenticationFailureHandler {
// Some variables
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
// some logic here..
request.setAttribute("param", "error");
response.sendRedirect("/login?error");
}
My WebApplicationSecurity class looks like this:
@Configuration
@EnableWebMvcSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
CustomAuthenticationHandler customAuthenticationHandler;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.formLogin()
.loginPage("/login")
.permitAll()
.failureHandler(customAuthenticationHandler)
.and()
.logout()
.permitAll();
http.authorizeRequests()
.antMatchers("/css/**", "/img/**", "/js/**")
.permitAll()
.anyRequest()
.authenticated();
http
.csrf()
.disable();
}
@Bean
CustomAuthenticationHandler authenticationHandler() {
return new CustomAuthenticationHandler();
}
@Configuration
protected static class AuthenticationConfiguration extends
GlobalAuthenticationConfigurerAdapter {
@Override
public void init(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("*******")
.password("*******")
.roles("USER");
}
}
}
Now the problem is what is being AuthenticationFailureHandler
redirected to /login?error
, but (I don't know why) another redirect is being done with /login
.
Can you help me solve my problem?
source to share