Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1429: AuthenticationFailureHandler should be responsible for caching exception, not AbstractAuthenticationFilter #1672

spring-issuemaster opened this Issue Mar 4, 2010 · 1 comment


None yet
1 participant

Luke Taylor (Migrated from SEC-1429) said:

The logic should be moved to the default failure handler. If using a forward to the failure URL, it should use "request" scope, rather than storing the exception in the session. We want to avoid creating session unnecessarily and avoid polluting the session. Any authentication-relate session data should also be cleared up after a successful authentication.

Luke Taylor said:

The AuthenticationFailureHandler is now responsible for storing the AuthenticationException to make it available to an error page. It will use request scope if configured to use a forward instead of a redirect. People using custom implementations should be aware that the exception may not be available unless they store it themselves.

The common session and request attribute key constants related to this functionality have been moved to the WebAttributes class and the original values deprecated.

The default AuthenticationSuccessHandler implementations will now clear this failure-related information from the session when they are invoked.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.M1 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment