Describe the bug formLogin().failureHandler() method set FormLoginConfigurer field failureUrl null,so, I do not redirect /login?error and show error message.

public final T failureHandler( AuthenticationFailureHandler authenticationFailureHandler) { this.failureUrl = null; this.failureHandler = authenticationFailureHandler; return getSelf(); }

Comment From: eleftherias

@swiftloop Could you please provide some more information?

What is the expected behaviour and how does that compare to the behaviour that you are seeing?

Comment From: swiftloop

Spring Security set failureHandler do not redirect /login?error and show error message Spring Security set failureHandler do not redirect /login?error and show error message In the DefaultLoginPageGeneratingFilter. Spring Security set failureHandler do not redirect /login?error and show error message

I expect: Spring Security set failureHandler do not redirect /login?error and show error message

but: is 302 redirected to login

What should I do?

Comment From: eleftherias

@swiftloop The failureUrl is intended to be null if you set a custom failureHandler.

It seems like you need to permit all users to access the URL that your failure handler is redirecting to.

For example, if you wanted to use a failure handler that redirects to "/login-failure"

http
    .authorizeRequests((authorize) -> authorize
        .mvcMatchers("/login-failure").permitAll()
        .anyRequest().authenticated()
    )
    .formLogin((formLogin) -> formLogin
        .failureHandler(new SimpleUrlAuthenticationFailureHandler("/login-failure"))
    );

Also, note that the default failure URL is "/login?error".

Comment From: swiftloop

Emmm, thanks for your suggestion. Acually, the thing that I want is when there is a verification error, which can redirect to login and show error message (such as "Bad Credentials") on the default login page. However, after setting "failureHandler", it cannot show error message. Because "failureUrl" is null and "isErrorPage" in "DefaultLoginPageGeneratingFilter" is false now. So shall I need to use customized UI to solve this problem?

before setting "failureHandler": Spring Security set failureHandler do not redirect /login?error and show error message

after setting "failureHandler": Spring Security set failureHandler do not redirect /login?error and show error message

Comment From: eleftherias

@swiftloop As you mention, if you set a custom failureHandler, Spring Security removes the default authentication failure behaviour, because it assumes you are doing something custom.

Could you share some more details on what you are trying to accomplish by customizing the failureHandler? It seems like the default behaviour might be suitable for your use case.

Comment From: swiftloop

It turns out that I didn't follow the rules of spring security. count the number of verification error and disable user account