Announcement Announcement Module
No announcement yet.
How can I setup spring-security to return BeanPropertyBindingResult validation errors Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • How can I setup spring-security to return BeanPropertyBindingResult validation errors

    I'm somewhat new to Spring3 framework and am interested in leveraging as much as possible from it, but it appears that some things don't necessarily work so well with other things, so there are some limits. I've gone through many tutorial/example apps and have got annotation based form validation working with 'javax.validation.Valid' (the hibernate reference impl).

    I was looking at setting up form-based, container-managed security and discovered spring-security, so got an example of that working using 'springSecurityFilterChain/DelegatingFilterProxy' and 'http auto-config/authentication-manager'. This uses an XML-based 'authentication-provider/user-service', which of course I would want to change to a database/ldap provider later.

    So the login form will validate, but error messages come from 'sessionScope["SPRING_SECURITY_LAST_EXCEPTION"].message', and not 'BeanPropertyBindingResult', so I am unable to get the normal validation error messages I expect using the spring 'form:errors' tag, even though I've passed 'BindingResult result' into my 'loginfailed/loginerror' Controller method.

    I read that this has something to do with having two contextListeners: dispatcher-servlet and spring-security, and that these validation error messages are associated with one or the other but not both.

    If spring validation and security are so flexible, why isn't there a way to tie the two together?

  • #2
    I see that a Mr. Deinum addressed this issue 2 1/2 years ago, where he says:

    "The login procedure is handled by the Spring Security FilterChain, no Controller comes into play. The form tags only work when you use a Controller or Webflow and have a command object/form backing object. You don't have that with Spring Security, there are only the 2 parameters, no more no less. So you will not get the form:errors nor any of the form tags to work."

    So use of annotation-driven validation may be fine for other site screens/forms, but for authentication managed by spring-security you can fuggedaboutit. It ignores everything you might try to setup. There are techniques to override or manipulate the exception messages you might get from SPRING_SECURITY_LAST_EXCEPTION, but as far as defining your own validation constraints, it doesn't appear to be possible, at least not with javax.validation.