Fix authenticationFailureHandler not being used

The custom server authenticationFailureHandler was not always picked up Fixes: gh-7782
spring-projects · Jan 27, 2020 · edb6cd3 · edb6cd3
1 parent 2dbedf7
commit edb6cd3
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 1 deletion.
diff --git a/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java b/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
@@ -3050,7 +3050,9 @@ public FormLoginSpec loginPage(String loginPage) {
 			this.defaultEntryPoint = new RedirectServerAuthenticationEntryPoint(loginPage);
 			this.authenticationEntryPoint = this.defaultEntryPoint;
 			this.requiresAuthenticationMatcher = ServerWebExchangeMatchers.pathMatchers(HttpMethod.POST, loginPage);
-			this.authenticationFailureHandler = new RedirectServerAuthenticationFailureHandler(loginPage + "?error");
+			if (this.authenticationFailureHandler == null) {
+				this.authenticationFailureHandler = new RedirectServerAuthenticationFailureHandler(loginPage + "?error");
+			}
 			return this;
 		}
 

diff --git a/config/src/test/java/org/springframework/security/config/web/server/FormLoginTests.java b/config/src/test/java/org/springframework/security/config/web/server/FormLoginTests.java
@@ -33,6 +33,7 @@
 import org.springframework.security.test.web.reactive.server.WebTestClientBuilder;
 import org.springframework.security.web.server.SecurityWebFilterChain;
 import org.springframework.security.web.server.WebFilterChainProxy;
+import org.springframework.security.web.server.authentication.RedirectServerAuthenticationFailureHandler;
 import org.springframework.security.web.server.authentication.RedirectServerAuthenticationSuccessHandler;
 import org.springframework.security.web.server.context.ServerSecurityContextRepository;
 import org.springframework.security.web.server.csrf.CsrfToken;
@@ -213,6 +214,37 @@ public void formLoginWhenCustomLoginPageInLambdaThenUsed() {
 		homePage.assertAt();
 	}
 
+	@Test
+	public void formLoginWhenCustomAuthenticationFailureHandlerThenUsed() {
+		SecurityWebFilterChain securityWebFilter = this.http
+			.authorizeExchange()
+				.pathMatchers("/login", "/failure").permitAll()
+				.anyExchange().authenticated()
+				.and()
+			.formLogin()
+				.authenticationFailureHandler(new RedirectServerAuthenticationFailureHandler("/failure"))
+				.and()
+			.build();
+
+		WebTestClient webTestClient = WebTestClientBuilder
+				.bindToWebFilters(securityWebFilter)
+				.build();
+
+		WebDriver driver = WebTestClientHtmlUnitDriverBuilder
+				.webTestClientSetup(webTestClient)
+				.build();
+
+		DefaultLoginPage loginPage = HomePage.to(driver, DefaultLoginPage.class)
+				.assertAt();
+
+		loginPage.loginForm()
+				.username("invalid")
+				.password("invalid")
+				.submit(HomePage.class);
+
+		assertThat(driver.getCurrentUrl()).endsWith("/failure");
+	}
+
 	@Test
 	public void authenticationSuccess() {
 		SecurityWebFilterChain securityWebFilter = this.http