Luke Taylor (Migrated from SEC-1429) said:
The logic should be moved to the default failure handler. If using a forward to the failure URL, it should use "request" scope, rather than storing the exception in the session. We want to avoid creating session unnecessarily and avoid polluting the session. Any authentication-relate session data should also be cleared up after a successful authentication.
Luke Taylor said:
The AuthenticationFailureHandler is now responsible for storing the AuthenticationException to make it available to an error page. It will use request scope if configured to use a forward instead of a redirect. People using custom implementations should be aware that the exception may not be available unless they store it themselves.
The common session and request attribute key constants related to this functionality have been moved to the WebAttributes class and the original values deprecated.
The default AuthenticationSuccessHandler implementations will now clear this failure-related information from the session when they are invoked.