Spring Security AbstractAuthenticationFilterConfigurer failureUrl Javadoc is incorrect

The failureUrl(String) Javadoc states that this method is a shortcut for invoking failureHandler(AuthenticationFailureHandler), which is incorrect.

The behavior of failureUrl changes based on whether a custom loginPage is configured, while the behavior of failureHandler stays the same in either case.

When a custom login page is configured

http
    .formLogin((formLogin) -> formLogin
        .loginPage("/custom-login")
        .failureUrl("/failure")
    );

In this case, developers are required to process the specified URL ("/failure") to generate an error page.

When a custom login page is not configured

http
    .formLogin((formLogin) -> formLogin
        .failureUrl("/failure")
    );

In this case, the framework will process the specified URL ("/failure") and generate the default error page, which is simply the default login page with an error message. If a developer has created a mapping for "/failure", it will be ignored.

This applies to formLogin, oauth2Login and saml2Login.