Spring Security Why doesn't failure handling work in Spring Security X.509 authentication?

Summary

This is a feature request.

I am using the security namespace with the element in my spring-security.xml configuration. When an AuthenticationProvider throws an AuthenticationException in a pre-authentication scenario (X509 certificate based authentication), there is no mechanism to forward the request to a specified page such as message.jsp.

Full details at: http://stackoverflow.com/questions/36631175/why-doesnt-failure-handling-work-in-spring-security-x-509-authentication/36708808?noredirect=1#comment61039365_36708808

Actual Behavior

The AuthenticationException thrown by the AuthenticationProvider's authenticate method is stored under the WebAttributes.AUTHENTICATION_EXCEPTION but it is never referenced elsewhere in the filter chain. The user is ultimately able to see a JSP page that they shouldn't be able to because the filter chain essentially ignores the Exception that was thrown by the AuthenticationProvider. If the filter sets the following property, <property name="continueFilterChainOnUnsuccessfulAuthentication" value="false" />, then the user cannot get to the page, but the AuthenticationException is thrown "up the filter chain" (e.g. not handled by Spring Security like I want it to be).

Expected Behavior

With other authentication mechanisms - such as form login - failure handlers can be used (e.g. failure-handler-url). It would be ideal if X509 authentication (and other preauthentication scenarios) supported failure handlers in some way.

Configuration

<security:http auto-config="false" pattern="/role/**" access-decision-manager-ref="adm" entry-point-ref="http403EntryPoint">
        <security:anonymous enabled="false"/>
        <security:access-denied-handler error-page="/message.jsp"/>
        <security:custom-filter ref="authFilter" position="PRE_AUTH_FILTER" />
</security:http>

<bean id="http403EntryPoint" class="..." />

<bean id="authFilter" class="...">
   <property name="authenticationManager" ref="authenticationManager" />
   <property name="continueFilterChainOnUnsuccessfulAuthentication" value="false" />
</bean>

Version

Version 4

Comment From: rwinch

Anytime you create a bean manually (i.e. authFilter), Spring Security's namespace is not going to modify it. This means you will need to define the handler manually.

I think this is solved in #3389. You can do something like:

<bean id="authFilter" class="...">
   ...
   <property name="authenticationFailureHandler" ref="failureHandler"/>
</bean>

Comment From: KyleMoser

Agreed this seems to be addressed by the ability to use an authenticationFailureHandler. Thanks so much.