Skip to content

Commit bcef8f9

Browse files
jzheauxjzheaux
committed
Merge branch '6.0.x' into 6.1.x
Closes gh-14117
2 parents 4222537 + 4990373 commit bcef8f9

File tree

2 files changed

+25
-4
lines changed

2 files changed

+25
-4
lines changed

web/src/main/java/org/springframework/security/web/authentication/ui/DefaultLoginPageGeneratingFilter.java

Lines changed: 11 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,7 @@
3535
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
3636
import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices;
3737
import org.springframework.util.Assert;
38+
import org.springframework.util.StringUtils;
3839
import org.springframework.web.filter.GenericFilterBean;
3940
import org.springframework.web.util.HtmlUtils;
4041

@@ -266,11 +267,17 @@ private String generateLoginPageHtml(HttpServletRequest request, boolean loginEr
266267

267268
private String getLoginErrorMessage(HttpServletRequest request) {
268269
HttpSession session = request.getSession(false);
269-
if (session != null && session
270-
.getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION) instanceof AuthenticationException exception) {
271-
return exception.getMessage();
270+
if (session == null) {
271+
return "Invalid credentials";
272272
}
273-
return "Invalid credentials";
273+
if (!(session
274+
.getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION) instanceof AuthenticationException exception)) {
275+
return "Invalid credentials";
276+
}
277+
if (!StringUtils.hasText(exception.getMessage())) {
278+
return "Invalid credentials";
279+
}
280+
return exception.getMessage();
274281
}
275282

276283
private String renderHiddenInputs(HttpServletRequest request) {

web/src/test/java/org/springframework/security/web/authentication/DefaultLoginPageGeneratingFilterTests.java

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -171,4 +171,18 @@ public void generatesForSaml2LoginAndEscapesClientName() throws Exception {
171171
.contains("<a href=\"/saml/sso/google\">Google &lt; &gt; &quot; &#39; &amp;</a>");
172172
}
173173

174+
// gh-13768
175+
@Test
176+
public void generatesWhenExceptionWithEmptyMessageThenInvalidCredentials() throws Exception {
177+
DefaultLoginPageGeneratingFilter filter = new DefaultLoginPageGeneratingFilter(
178+
new UsernamePasswordAuthenticationFilter());
179+
filter.setLoginPageUrl(DefaultLoginPageGeneratingFilter.DEFAULT_LOGIN_PAGE_URL);
180+
MockHttpServletRequest request = new MockHttpServletRequest("GET", "/login");
181+
request.setQueryString("error");
182+
request.getSession().setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, new BadCredentialsException(null));
183+
MockHttpServletResponse response = new MockHttpServletResponse();
184+
filter.doFilter(request, response, this.chain);
185+
assertThat(response.getContentAsString()).contains("Invalid credentials");
186+
}
187+
174188
}

0 commit comments

Comments
 (0)