Return username and password to login form grails spring security

Question

When a user fails authentication, I want the username and password to be returned to the form. I\'m using the spring security core plugin with Grails and Spring Security LD

Answer 1

From UsernamePasswordAuthenticationFilter javadoc:

If you want to retain the username, cache it in a customized AuthenticationFailureHandler

As for password there is no point to cache it, because it cannot be put back to form password field for security reasons.

Answer 2

I was able to do the following to get the username back to the form: In LoginController.groovy:

        render view: view, model: [postUrl: postUrl,
                               rememberMeParameter: config.rememberMe.parameter,
                               lastUsername: request.getSession().getAttribute("SPRING_SECURITY_LAST_USERNAME")]

Answer 3

For future reference, as the above answers are either too vague to be helpful to those of us who are just beginning to learn this framework for the first time (prompting such questions as: what's an AuthenticationFailureHandler? How do I implement one? How do I connect it to my existing infrastructure that was magically created by the <security:http> namespace handler?) or no longer work (the code to store the username in SPRING_SECURITY_LAST_USERNAME was removed from UsernamePasswordAuthenticationFilter as of version 3.1.0), here's a little more detail on the first answer:

• An AuthenticationFailureHandler is used by the login process to decide what to do when authentication fails.
• The default login form setup as provided by <security:http><security:form-login /></security:http> uses a SimpleUrlAuthenticationFailureHandler to perform the redirection to the login failed url (which defaults to /spring_security_login?login_error).
• You can hook your own implementation in by using the authentication-failure-handler-ref attribute of your <form-login> element.

So, my implementation looks like this:

public class UsernameStoringUrlAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler
{
    @Override
    public void onAuthenticationFailure (HttpServletRequest request, HttpServletResponse response,
            AuthenticationException exception) throws IOException, ServletException
    {
        request.getSession (true).setAttribute ("SPRING_SECURITY_LAST_USERNAME", request.getParameter ("j_username"));
        super.onAuthenticationFailure (request, response, exception);
    }
}

which is configured thus:

    <security:form-login authentication-failure-handler-ref="authenticationFailureHandler" [...] />
    ...
<bean id="authenticationFailureHandler" class="my.package.UsernameStoringUrlAuthenticationFailureHandler" p:defaultFailureUrl="/LoginError" />

And then I can access the failed login username using the same approach as described in James Kleeh's answer here, but which no longer worked because of the change to the framework.