From 0c097806440ebfb2c1067a4bbdece03a5eb6fd23 Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Wed, 5 May 2010 14:13:48 +0100 Subject: [PATCH] SEC-1476: Modify AbstractPreAuthenticatedProcessingFilter to store authentication exception in request instead of creating a new session. --- .../preauth/AbstractPreAuthenticatedProcessingFilter.java | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java b/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java index 72de83f565..b1a1bd1239 100755 --- a/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java +++ b/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java @@ -167,8 +167,9 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi } /** - * Ensures the authentication object in the secure context is set to null - * when authentication fails. + * Ensures the authentication object in the secure context is set to null when authentication fails. + *

+ * Caches the failure exception as a request attribute */ protected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed) { SecurityContextHolder.clearContext(); @@ -176,7 +177,7 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi if (logger.isDebugEnabled()) { logger.debug("Cleared security context due to exception", failed); } - request.getSession().setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, failed); + request.setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, failed); } /**