SEC-1429: AuthenticationFailureHandler should be responsible for caching exception, not AbstractAuthenticationFilter #1672

spring-issuemaster opened this Issue Mar 4, 2010 · 1 comment


None yet

1 participant


Luke Taylor (Migrated from SEC-1429) said:

The logic should be moved to the default failure handler. If using a forward to the failure URL, it should use "request" scope, rather than storing the exception in the session. We want to avoid creating session unnecessarily and avoid polluting the session. Any authentication-relate session data should also be cleared up after a successful authentication.


Luke Taylor said:

The AuthenticationFailureHandler is now responsible for storing the AuthenticationException to make it available to an error page. It will use request scope if configured to use a forward instead of a redirect. People using custom implementations should be aware that the exception may not be available unless they store it themselves.

The common session and request attribute key constants related to this functionality have been moved to the WebAttributes class and the original values deprecated.

The default AuthenticationSuccessHandler implementations will now clear this failure-related information from the session when they are invoked.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.M1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment