How to not redirect page when authentication fail - JSP & Spring MVC

Question

I have a JSP form as below,

<form method="post" id="loginForm" action="<c:url value='/login'/>">
                                            <fieldset>
                                                <label class="block clearfix">
                                                    <span class="block">
                                                        <input type="text" class="form-control"
                                                               placeholder='Username'
                                                               name="username"
                                                               required="required"
                                                              maxlength="50"/>
                                                        <i class="icon-user"></i>
                                                    </span>
                                                </label>

                                                <label class="block clearfix">
                                                    <span class="block">
                                                        <input type="password" class="form-control"
                                                               placeholder='Password'
                                                                required="required"
                                                               name="password" maxlength="50"/>
                                                    </span>
                                                </label>

                                                <div>
                                                    <c:if test="${userNameRequired == true}">
                                                        <br/>
                                                        <div class="alert alert-block alert-danger">
                                                            <button class="close" data-dismiss="alert" type="button">
                                                                <i class="icon-remove"></i>
                                                            </button>
                                                            <strong>
                                                                <i class="icon-remove"></i>
                                                                Error!
                                                            </strong>
                                                            Please enter your Email.
                                                        </div>
                                                        <c:remove var="userNameRequired" scope="session"/>
                                                    </c:if> 
                                                    <c:if test="${passwordRequired == true}">
                                                        <br/>
                                                        <div class="alert alert-block  alert-danger">
                                                            <button class="close" data-dismiss="alert" type="button">
                                                                <i class="icon-remove"></i>
                                                            </button>
                                                            <strong>
                                                                <i class="icon-remove"></i>
                                                                Error!
                                                            </strong>
                                                            Please enter your Password.
                                                        </div>
                                                        <c:remove var="passwordRequired" scope="session"/>
                                                    </c:if>
                                                    <c:if test="${invalidCredentials == true}">
                                                        <br/>
                                                        <div class="alert alert-block alert-danger">
                                                            <button class="close" data-dismiss="alert" type="button">
                                                                <i class="icon-remove"></i>
                                                            </button>
                                                            <strong>
                                                                <i class="icon-remove"></i>
                                                                Error!
                                                            </strong>
                                                            Invalid Credentials.
                                                        </div>
                                                        <c:remove var="invalidCredentials" scope="session"/>
                                                    </c:if>
                                                    <c:if test="${userNotExists == true}">
                                                        <br/>
                                                        <div class="alert alert-block alert-danger">
                                                            <button class="close" data-dismiss="alert" type="button">
                                                                <i class="icon-remove"></i>
                                                            </button>
                                                            <strong>
                                                                <i class="icon-remove"></i>
                                                                Error!
                                                            </strong>
                                                            Invalid Credentials.
                                                        </div>
                                                        <c:remove var="userNotExists" scope="session"/>
                                                    </c:if>
                                                   
                                                </div>
                                                
                                                <div class="clearfix">
                                                    <button type="submit"
                                                            class="btn btn-block btn-primary"
                                                            value='Login'>
                                                    </button>
                                                </div>
                                               
                                            </fieldset>
                                        </form>

When authentication fails, it should show a message as invalid credentials or respective message on the same page, but it is redirecting to a new page as below,

There are no redirects added in my authenticate method which is triggered when login is clicked. Below is the code,

 public Authentication attemptAuthentication(HttpServletRequest request,
      HttpServletResponse response) {

    String userName = obtainUsername(request);
    String password = obtainPassword(request);

    if (userName == null || userName.isEmpty()) {
      request.getSession().setAttribute("userNameRequired", true);
      throw new BadCredentialsException("Email field should not be empty.");
    }

    if (password == null || password.isEmpty()) {
      request.getSession().setAttribute("passwordRequired", true);
      throw new BadCredentialsException("Password field should not be empty.");
    }
    
    UsernamePasswordAuth authRequest = new UsernamePasswordAuth (
        userName, password);
    setDetails(request, authRequest);
    
    try{
        return this.getAuthenticationManager().authenticate(authRequest);
    }catch(BadCredentialsException ex){
            request.getSession().setAttribute("invalidCredentials", true);
            throw new ex;
    }
  }

I'm new to JSP's and Spring MVC so hard time debugging & understanding. Any help is much appreciated.

Thank you.

Question is still unclear. `attemptAuthentication` method is part of which class if that class is part of spring security's filter chain? Also, you have mentioned your response is in JSON format. Means, your response somewhere rewritten to HTTPResposne. Instead you should check for the ModelView response instead of Rest response. — Ketan Bhavsar, Sep 01 '22 at 09:44

score 0 · Answer 1 · answered Sep 01 '22 at 06:09

It looks like you created a subclass of AbstractAuthenticationProcessingFilter which has a method setAuthenticationFailureHandler to set field failureHandler value. so you should create a implementation of AuthenticationFailureHandler and invoke method setAuthenticationFailureHandler

public class MyAuthenticationFailureHandler implements AuthenticationFailureHandler {
    @Override
    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
        //write the authentication failure message to response
        response.getWriter().write(exception.getMessage());

    }
}

authFilter.setAuthenticationFailureHandler(new MyAuthenticationFailureHandler());

authFilter is subclass of AbstractAuthenticationProcessingFilter

score 0 · Answer 2 · answered Sep 08 '22 at 22:32

Let me see if i understand.

When you click the submit button, it redirects always even if the credentials are incorrect?

It is gonna redirect you everytime you click the button because it is submitting you to the "action="<c:url value='/login'/>" attribute you wrote in "<form>" tag.

Buttons inside a form always sends you to the action location.

To avoid this, i recommend you to use ajax to request and listen the response without redirecting or reloading the page.

Or you can redirect back to the form explicitly in your validation side when the credentials are wrong.

I hope i were helpful.

Or, you just can place that button outside the form. – JM. Sep 08 '22 at 22:33 — JM., Sep 08 '22 at 22:33

How to not redirect page when authentication fail - JSP & Spring MVC

2 Answers2