i facing issues in spring-security configuration. need display custom message on web page when login fails.
two level authentication happens: 1. site minder 2. database
my custom error handler called successfully(authentication-failure-handler-ref="authfailurehandler") when user provides invalid user name/pwd (will fail @ site minder) , able show invalid error message.
when siteminder authentication successful , user not available in database, custom error hanlder(authentication-failure-handler-ref="authfailurehandler") not getting invoked atall. instead executing series of other error handlers , finally, logout-url getting executed , redirecting index.html page (login page) without error message.
kindly suggest me on , let me know going wrong.
below spring-security config , other details.
spring.security.xml
<security:http auto-config="true" use-expressions="true"> <security:intercept-url pattern="/resources/app/commons/**" access="permitall"/> <security:intercept-url pattern="/resources/app/template/**" access="permitall"/> <security:intercept-url pattern="/resources/app/**" access="hasanyrole('m_xxx', 'm_xxx')"/> <security:intercept-url pattern="/app/template/**" access="permitall"/> <security:intercept-url pattern="/app/**" access="hasanyrole('m_vvv', 'm_xxx')"/> <security:custom-filter position="pre_auth_filter" ref="siteminderfilter" /> <!-- authentication-failure url handled in authfailurehandler --> <security:form-login always-use-default-target="true" authentication-failure-url="/index.html?login_error=1" login-page="/index.html" default-target-url="/app/home" login-processing-url="/dologin" authentication-failure-handler-ref="authfailurehandler"/> <security:logout invalidate-session="true" logout-success-url="/index.html" logout-url="/dologout" /> <security:session-management invalid-session-url="/index.html" /> </security:http> <bean id="preauthauthprovider" class="org.springframework.security.web.authentication.preauth.preauthenticatedauthenticationprovider"> <property name="preauthenticateduserdetailsservice"> <bean id="userdetailsservicewrapper" class="org.springframework.security.core.userdetails.userdetailsbynameservicewrapper"> <property name="userdetailsservice" ref="userdetailsservice" /> </bean> </property> </bean> <security:authentication-manager alias="authenticationmanager"> <security:authentication-provider ref="preauthauthprovider" /> </security:authentication-manager> authfailurehandler.java
@override public void onauthenticationfailure(httpservletrequest request, httpservletresponse response, authenticationexception exception) throws ioexception, servletexception { if (log.isdebugenabled()) { log.debug("error message set in threadlocal :" + autherrormsgthreadlocal.get()); } // login failed in siteminder, no threadlocal message if (stringutils.isempty(autherrormsgthreadlocal.get())) { request.getsession().setattribute("auth_error_msg", "invalid username or password"); response.sendredirect(request.getcontextpath() + error_redirect_url); } else { // in event of auth failure, specific error message // threadlocal request.getsession().setattribute("auth_error_msg", autherrormsgthreadlocal.get()); response.sendredirect(request.getcontextpath() + error_redirect_url); autherrormsgthreadlocal.unset(); } }
