Spring Security SEC-1767: Allow to change Authentication Failure Handler in security namespace for SessionManagementFilter

Roberto Ruiz (Migrated from SEC-1767) said:

In form login, I use a custom Authentication failure handler to redirect to login page and show a message. I configure it easily with the authentication-failure-handler-ref attribute.

It would be nice to be able to do the same for Session Management Filter in the security:session-management tag. Currently, if I want to change the handler, I have to create my own Session Management Filter and insert it in the chain:

I have to insert it before the default session management filter. For some reason it does not allow me to override the default one. My complete security configuration is:

<security:http 
    auto-config="false"
    access-decision-manager-ref="mptAccessDecisionManager">

    <security:custom-filter position="PRE_AUTH_FILTER" ref="mptSSOFilter" />
    <security:custom-filter before="SESSION_MANAGEMENT_FILTER" ref="mptSessionManagementFilter" />

    <security:session-management session-authentication-strategy-ref="sessionAuthenticationStrategy" />         

    <security:form-login 
        login-page="/login.html" 
        login-processing-url="/login_process.html" 
        default-target-url="#{navigationProperties['after.login.uri']}"
        authentication-failure-handler-ref="mptAuthenticationFailureHandler"
        always-use-default-target="true"/>
    <security:logout invalidate-session="true" logout-url="/logout.html" logout-success-url="/login.html"/>

    <security:access-denied-handler ref="mptAccessDeniedHandler" />         
    <security:anonymous enabled="true" />

    <security:intercept-url pattern="/prohibido.html" access="SIN_RESTRICCIONES" />
    <security:intercept-url pattern="/noencontrado.html" access="SIN_RESTRICCIONES" />
    <security:intercept-url pattern="/error.html" access="SIN_RESTRICCIONES" />     
    <security:intercept-url pattern="/login.html" access="NO_AUTENTICADO" />
    <security:intercept-url pattern="/login_sso.html" access="NO_AUTENTICADO" />
    <security:intercept-url pattern="/perfil.html" access="NO_SELECCIONADO_PERFIL" />
    <security:intercept-url pattern="/**/*.html" access="CHECK_URL"/>
    <security:intercept-url pattern="/**" access="SIN_RESTRICCIONES"/>
</security:http>

<security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref="mptAuthenticationService" /> 
    <security:authentication-provider ref="mptPreAuthenticationService" />
</security:authentication-manager>

<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
<bean id="sessionAuthenticationStrategy" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy" 
    p:maximumSessions="#{loginProperties['sesiones.maximas.usuario']}"
    p:exceptionIfMaximumExceeded="true"
    autowire="constructor" />
<bean id="mptSessionManagementFilter" class="org.springframework.security.web.session.SessionManagementFilter" 
    p:authenticationFailureHandler-ref="mptAuthenticationFailureHandler"
    p:sessionAuthenticationStrategy-ref="sessionAuthenticationStrategy"
    autowire="constructor" />

Related gh-2121

Comment From: spring-projects-issues

Roberto Ruiz said:

I forgot to say something.

When I login with the login form, then the login form authentication failure handler is used. I need to override the failure handler when I login through the Preauthenticated login filter. In that case the filter chain uses de failure handler of the session management filter

Comment From: AndreynRosa

Can i take this to tray my first contribuition?