You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It would appear that when supplying a custom AuthenticationFailureHandler to formLogin().failureHandler(), the resulting methods cause the failureUrl on the handler to be ignored, i.e. permitAll won't recognise the failureUrl.
As a result, when login authentication fails, and the RedirectStrategy redirects to the failureUrl, what we get is a further redirect back to /login (loginUrl)
Actual Behavior
AbstractAuthenticationFilterConfigurer .failureUrl(String failureUrl)
states that this method is a shortcut for calling AbstractAuthenticationFilterConfigurer.failureHandler(AuthenticationFailureHandler authenticationFailureHandler)
Whereas, the 2nd method sets it to null
and sets this.failureHandler to the passed in AuthenticationFailureHandler.
What this means is that when .permitAll() is set, the failureUrl is null at the time of init.
/login?error (failureUrl) results in a 302 to login
Expected Behaviour
When configuring the form, not calling .failureHandler simply results in an instance of AuthenticationFailureHandler being created and the failureUrl set to /login?error.
Alternatively, calling failureUrl("/login?error)" does the same.
However, calling .failureHandler(AuthenticationFailureHandler failureHandler) does not have the same behaviour, due to failureUrl not being set and the corresponding failureHandler.failureUrl never being accessed (note: it doesn't have a getter anyway)...
Configuration
Version
4.1.3
Haven't checked other versions, but have checked the 4.1.x branch and the code matches up.
So the question is:
How would I supply my own authenticationFailureHandler to formLogin and have its failureUrl permitted?
I believe it would work by passing my own failureUrl to http.authorizeRequests().antMatchers(<here>).permitAll()?
It just seems counter-intuitive for .failureHandler not to use the passed in handler's failureUrl, especially when the javadoc explicitly says .failureUrl(String failureUrl) is a shortcut for calling .failureHandler.
I've been attempting to figure this out for the past day, so I'm thinking there's probably just a different path I should be taking that I am not aware of...
The text was updated successfully, but these errors were encountered:
Thanks for reaching out @rmckirby.
You are correct that the Javadoc incorrectly states that failureUrl(String) is a shortcut for invoking failureHandler(AuthenticationFailureHandler).
We have created gh-9229 to fix that.
You are also correct that you would explicitly need to provide access to the URL that you are using in the failureHandler by setting .authorizeRequests().antMatchers(<here>).permitAll().
See this comment for more details.
Summary
It would appear that when supplying a custom
AuthenticationFailureHandler
toformLogin().failureHandler()
, the resulting methods cause thefailureUrl
on the handler to be ignored, i.e.permitAll
won't recognise thefailureUrl
.As a result, when login authentication fails, and the
RedirectStrategy
redirects to thefailureUrl
, what we get is a further redirect back to/login
(loginUrl
)Actual Behavior
AbstractAuthenticationFilterConfigurer
.failureUrl(String failureUrl)
states that this method is a shortcut for calling
AbstractAuthenticationFilterConfigurer.failureHandler(AuthenticationFailureHandler authenticationFailureHandler)
However, the first sets
this.failureUrl
Whereas, the 2nd method sets it to
null
and sets
this.failureHandler
to the passed inAuthenticationFailureHandler
.What this means is that when
.permitAll()
is set, thefailureUrl
isnull
at the time ofinit
./login?error
(failureUrl
) results in a302
tologin
Expected Behaviour
When configuring the form, not calling
.failureHandler
simply results in an instance ofAuthenticationFailureHandler
being created and thefailureUrl
set to/login?error
.Alternatively, calling
failureUrl("/login?error)"
does the same.However, calling
.failureHandler(AuthenticationFailureHandler failureHandler)
does not have the same behaviour, due tofailureUrl
not being set and the correspondingfailureHandler.failureUrl
never being accessed (note: it doesn't have a getter anyway)...Configuration
Version
4.1.3
Haven't checked other versions, but have checked the
4.1.x
branch and the code matches up.So the question is:
How would I supply my own
authenticationFailureHandler
toformLogin
and have itsfailureUrl
permitted?I believe it would work by passing my own
failureUrl
tohttp.authorizeRequests().antMatchers(<here>).permitAll()
?It just seems counter-intuitive for
.failureHandler
not to use the passed in handler'sfailureUrl
, especially when the javadoc explicitly says.failureUrl(String failureUrl)
is a shortcut for calling.failureHandler
.I've been attempting to figure this out for the past day, so I'm thinking there's probably just a different path I should be taking that I am not aware of...
The text was updated successfully, but these errors were encountered: