Why am I not getting Spring Security Login Error Messages?

spring struts2 spring-security tiles2
Griff picture Griff · Oct 7, 2010 · Viewed 7.8k times · Source

Using Spring Security 3 along with Struts 2 and Tiles 2, I have a login page that appears when it is supposed to and performs the login as expected -- however when I enter bad user credentials I am returned to the login page with no information about what went wrong. I've checked all my configuration parameters and I can't see where the problem is.

My Spring Security XML config is as follows:

 <http auto-config="true" use-expressions="true">
    <intercept-url pattern="/" access="permitAll" />
    <intercept-url pattern="/css/**" access="permitAll" />
    <intercept-url pattern="/images/**" access="permitAll" />
    <intercept-url pattern="/js/**" access="permitAll" />
    <intercept-url pattern="/public/**" access="permitAll" />
    <intercept-url pattern="/home/**" access="permitAll" />
    <intercept-url pattern="/user/**" access="hasRole('AUTH_MANAGE_USERS')" />
    <intercept-url pattern="/group/**" access="hasRole('AUTH_MANAGE_USERS')" />
    <intercept-url pattern="/**" access="isAuthenticated()" />
    <access-denied-handler error-page="/403.html"/>
    <form-login  login-page="/public/login.do" always-use-default-target="false"/>
    <logout invalidate-session="true" logout-success-url="/public/home.do"/>
</http>

My Struts Action looks like this:

<package name="public" namespace="/public" extends="secure">
    <action name="login">
        <result name="success" type="tiles">tiles.login.panel</result>
        <result name="input" type="tiles">tiles.login.panel</result>
        <result name="error">/WEB-INF/jsp/error.jsp</result>
    </action>
    <action name="logout">
        <result name="success" type="redirect">/j_spring_security_logout</result>
    </action>
</package>

And the login.jsp page (part of the tile) looks for the exception from Spring Security...

<c:if test="${not empty param.login_error}">
   <span class="actionError">
   Your login attempt was not successful, try again.<br/><br/>
        Reason: <c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message}"/>.
  </span>
</c:if>
<form id="loginForm" name="loginForm" action="/j_spring_security_check" method="post">
  ...
</form>

Can anyone tell me what I am missing? Thanks in advance for any/all replies.

Answer

axtavt picture axtavt · Oct 7, 2010

Spring Security doesn't set param.login_error automatically. You need to do it manaully as follows:

<form-login  
    login-page="/public/login.do" 
    authentication-failure-url = "/public/login.do?login_error=1"
    always-use-default-target="false"/>

Related questions

Spring CSRF token does not work, when the request to be sent is a multipart request

I use, Spring Framework 4.0.0 RELEASE (GA) Spring Security 3.2.0 RELEASE (GA) Struts 2.3.16 In which, I use an in-built security token to guard against CSRF attacks. The Struts form looks like the following. <s:form namespace="/admin_side" action="Category" enctype="…

Read More
Struts2 vs Spring 3

Does anyone know difference between Struts2 and Spring 3 MVC. I know the difference between Struts 1 and Spring 2.5, but what's the advantage Struts2 has over Spring 3 or otherwise. I tried looking all over web, but there is no comprehensive answer anywhere.

Read More
Missing artifact javax.transaction:jta:jar:1.0.1B ( Issue was different as you may see the resolution is different)

I am trying to learn Hibernate-Spring-Struts using the example here. But after creating the pom.xml getting this error : Missing artifact javax.transaction:jta:jar:1.0.1B I made a progress only up to creating the pom.xml file and made …

Read More