Announcement Announcement Module
No announcement yet.
Error getting SPRING_SECURITY_LAST_EXCEPTION Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts


    Hi folks, here is my scenario:
    I have a spring-mvc annotation based controller for my index page which contains, among other things, my form login.

    The resumed version of my controller:
    public class IndexController {
    	protected final Log logger = LogFactory.getLog(getClass());
    	@RequestMapping(value = "/index.html", method = RequestMethod.GET)
    	public void index() {"Returning index view!");
    Here is my spring security config snippet:
    <security:http entry-point-ref="myAuthenticationEntryPoint" auto-config="false">
        	<security:intercept-url pattern="/index.html" filters="none" />
        	<security:intercept-url pattern="/css/**" filters="none" />
        	<security:intercept-url pattern="/img/**" filters="none" />
            <security:intercept-url pattern="/form.html" access="ROLE_USER"/>
            <security:intercept-url pattern="/saldo.html" access="ROLE_USER"/>
            <security:logout invalidate-session="true" logout-url="/logout.html" logout-success-url="/index.html?loggedout=true"/>		 
            <!-- Uncomment to limit the number of sessions a user can have  -->
            <security:concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true"/>
    	<security:authentication-manager alias="authenticationManager" />
    	<beans:bean id="MyCustomAuthenticationProvider" class="">
    		<security:custom-authentication-provider />
    		<beans:property name="locator">
    			<beans:bean class="" />
    	<beans:bean id="myAuthenticationEntryPoint" class="" >	
    		<beans:property name="loginFormUrl" value="/index.html" />
    		<beans:property name="forceHttps" value="false" />
    	<beans:bean id="authenticationProcessingFilter" class="">
    		<security:custom-filter position="AUTHENTICATION_PROCESSING_FILTER" />
    		<beans:property name="defaultTargetUrl" value="/index.html" />
    		<beans:property name="authenticationFailureUrl" value="/index.html?authfailed=true"/>
    		<beans:property name="authenticationManager" ref="authenticationManager" />
    		<beans:property name="allowSessionCreation" value="true"/>
    As you can see, I have a custom authenticator provider because I must authenticate the users through another third party system (lookup to a remote ejb). The form login are in /index.html (that my controller resolves), and if I try to access /form.html (another of my controllers) the login page are displayed and everything works fine.

    My problem is when a try to get information about bad logins. In my custom authenticator provider I have created three more specific exceptions to handle the needs of my app, have to handle inexistent logins, invalid passwords and blocked users. Here I list one of the custom exceptions.

    public class SenhaInvalidaException extends AuthenticationException {
    	private static final long serialVersionUID = 1L;
    	public SenhaInvalidaException(String msg) {
    		super("CE02 " + msg);
    For each kind of custom exception I have to display a particular error message, the way that I have to do it, according my research, is in the next snippet:

    <c:if test="${not empty param.authfailed}">
        <table id="bar_erroLogin">
                <td class="font_erroLogin">
                 <c:if test="${SPRING_SECURITY_LAST_EXCEPTION.class.simpleName eq "SenhaInvalidaException"}">
                	Senha inválida ou não cadastrados  |  Caso você não se lembre de sua senha, . <a href="">clique em esqueci minha senha</a><br/>
                <code for other custom exceptions>
    The problem is when I do a bad login attempt, I cannot get the value in SPRING_SECURITY_LAST_EXCEPTION session variable. The return value are blank.

    I tryied to get the value in this way:
    <c:out value="${sessionScope.SPRING_SECURITY_LAST_EXCEPTION.class.simpleName}"/>
    And I got this error on my websphere 6.1 server:
    I´m not using the directive <%@ page session="false" %> in my index.jsp page.

    I have made an another attempt, I have moved my index.jsp (used in my controller) from /WEB-INF/jsp to / and did all the changes in the spring security config. And it works. Accessing directly the jsp, using the sessionScope.SPRING_SECURITY_LAST_EXCEPTION.class. simpleName without <%@ page session="false" %>.

    My guess is that after the submit the session atribute are created and when the controller are called again, this attribute session are destroyed, but I´m not sure.

    Anyone of you guys have experienced something like that!?? If so, any help will be apperciated.

    Tks a lot.