Issue
I'm using the Vaadin LoginForm with Spring Security in a Spring Boot project. By default it redirects to /login?error
if authentication fails for any reason. I want to redirect for certain failures, specifically if the user hasn't validated their email yet. I'm trying to use the failureHandler
feature to do this, but as soon as I create one, the /login?error
URL suddenly requires the user to be authenticated, while /login
functions as normal.
My login view:
@PageTitle("Login")
@Route("login", layout = MainLayout::class)
class LoginView : VerticalLayout(), BeforeEnterObserver {
private val loginForm: LoginForm
init {
alignItems = FlexComponent.Alignment.CENTER
className = "login-view"
width = LumoUtility.Width.AUTO
loginForm = loginForm { action = "login" }
button("Register") {
onLeftClick { ui.ifPresent { it.navigate("register")} }
}
}
override fun beforeEnter(beforeEnterEvent: BeforeEnterEvent) {
if (beforeEnterEvent.location.queryParameters.parameters.containsKey("error")) {
loginForm.isError = true
}
}
}
My security configuration:
@Configuration
@EnableWebSecurity
class SecurityConfiguration : VaadinWebSecurityConfigurerAdapter() {
@Throws(Exception::class)
override fun configure(http: HttpSecurity) {
http.formLogin()
.failureHandler(object : SimpleUrlAuthenticationFailureHandler() {
override fun onAuthenticationFailure(
request: HttpServletRequest?,
response: HttpServletResponse?,
exception: AuthenticationException?
) {
super.onAuthenticationFailure(request, response, exception)
}
})
super.configure(http)
setLoginView(http, LoginView::class.java)
}
As you can see, all I did was add a failureHandler in my security configuration function that simply calls the default failureHandler, but that is enough to break the /login?error
. If I remove that failureHandler, then it works as expected and shows the /login?error
URL when login fails. How do I get this to work?
Solution
You setting a failureHandler
overrides the default of simply redirecting to /login?error
(and automatically configuring this URL to not require authentication). Looking at the code you can only have one AuthenticationFailureHandler
.
Answered By - Frettman
Answer Checked By - Dawn Plyler (JavaFixing Volunteer)