Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Form Login authenticationFailureHandler is not used in ServerHttpSecurity #7782

Closed
lizz365 opened this issue Jan 2, 2020 · 1 comment
Closed
Assignees
Labels
in: config An issue in spring-security-config status: backported An issue that has been backported to maintenance branches type: bug A general bug
Milestone

Comments

@lizz365
Copy link

lizz365 commented Jan 2, 2020

Summary

Use custom method when login fails, but authenticationFailureHandler method is invalid

Actual Behavior

Use the wrong user in the page at "/login",forward an authentication error page is "login?error".

Expected Behavior

Use the wrong user in the page at "/login",Execute my custom method.

Configuration

@EnableWebFluxSecurity
public class SecurityConfig {
@Autowired
    private AuthFailureHandler authFailureHandler;
@Bean
    SecurityWebFilterChain webFluxSecurityFilterChain(ServerHttpSecurity http){
        //
        http.authorizeExchange() 
                .and()
                .formLogin() 
                .authenticationFailureHandler(authFailureHandler); 
        return http.build();
    }
}
@Component
public class AuthFailureHandler implements ServerAuthenticationFailureHandler {
    private static final Logger logger = LoggerFactory.getLogger(AuthFailureHandler.class);
    @Override
    public Mono<Void> onAuthenticationFailure(WebFilterExchange webFilterExchange, AuthenticationException e) {
        logger.info("Authentication Failure");
        return null;
    }
}
spring:
  security:
    user: 
      name: guest 
      password: 123

Version

5.2.1-RELEASE

Reference

public FormLoginSpec loginPage(String loginPage) {
			this.defaultEntryPoint = new RedirectServerAuthenticationEntryPoint(loginPage);
			this.authenticationEntryPoint = this.defaultEntryPoint;
			this.requiresAuthenticationMatcher = ServerWebExchangeMatchers.pathMatchers(HttpMethod.POST, loginPage);
			this.authenticationFailureHandler = new RedirectServerAuthenticationFailureHandler(loginPage + "?error");
			return this;
		}

Override authenticationFailureHandler value When build method of ServerHttpSecurity is executed 。

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jan 2, 2020
@eleftherias eleftherias self-assigned this Jan 24, 2020
@eleftherias eleftherias added in: config An issue in spring-security-config type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged labels Jan 24, 2020
@eleftherias eleftherias changed the title authenticationFailureHandler is invalid when ServerHttpSecurity build Form Login authenticationFailureHandler is not used in ServerHttpSecurity Jan 27, 2020
@eleftherias
Copy link
Contributor

Thanks for the report @lizz365. This is now fixed by 2937754.

@eleftherias eleftherias added this to the 5.3.0.RC1 milestone Jan 27, 2020
eleftherias added a commit that referenced this issue Jan 27, 2020
The custom server authenticationFailureHandler was not always picked up

Fixes: gh-7782
@spring-projects-issues spring-projects-issues added the status: backported An issue that has been backported to maintenance branches label Jan 27, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: config An issue in spring-security-config status: backported An issue that has been backported to maintenance branches type: bug A general bug
Projects
None yet
Development

No branches or pull requests

3 participants