.failureHandler(authenticationFailureHandler()) does not exist in spring-config 6.1.1

Question

.failureHandler(authenticationFailureHandler()) does not exist in spring-config 6.1.1

cobar79 opened this issue 9 months ago · comments

Bruce Randall commented 9 months ago

spring-security-exceptionhandler

HttpSecurity.failureHandler no longer exists.

HttpSecurity.exceptionHandling didn't catch InvalidBearerTokenException

Ulisses Lima · Answer 1 · Sat Oct 14 2023 04:33:43 GMT+0800 (China Standard Time)

Hey, @cobar79.

We have internal tasks to keep articles updated with Spring 6, but it might take a while.

This issue will remain open until then.

Kasra Madadipouya · Answer 2 · Thu Nov 30 2023 01:07:28 GMT+0800 (China Standard Time)

Hi @cobar79 - The failureHandler is not from HttpSecurity. It's from FormLoginConifgurer<HttpSecurity> superclass AbstractAuthenticationFilterConfigurer.

The article and the code uses Spring Boot 2 that uses Spring Security 5.7.8. Nonetheless both Spring Security 5.7.8 and 6.1 have that method.

HttpSecurity.exceptionHandling didn't catch any InvalidBearerTokenException. The Invalid bearer token on the Client side is matched to an AuthenticationFailureBadCredentialsEvent. Therefore, HttpSecurity doesn't catch such an exception. The mapping for the exception, here