diff --git a/web/src/main/java/org/springframework/security/web/authentication/ui/DefaultLoginPageGeneratingFilter.java b/web/src/main/java/org/springframework/security/web/authentication/ui/DefaultLoginPageGeneratingFilter.java index 6cfdb6faae..60cf579634 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/ui/DefaultLoginPageGeneratingFilter.java +++ b/web/src/main/java/org/springframework/security/web/authentication/ui/DefaultLoginPageGeneratingFilter.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -35,6 +35,7 @@ import org.springframework.security.web.WebAttributes; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices; import org.springframework.util.Assert; +import org.springframework.util.StringUtils; import org.springframework.web.filter.GenericFilterBean; import org.springframework.web.util.HtmlUtils; @@ -195,7 +196,8 @@ public class DefaultLoginPageGeneratingFilter extends GenericFilterBean { if (session != null) { AuthenticationException ex = (AuthenticationException) session .getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION); - errorMsg = (ex != null) ? ex.getMessage() : "Invalid credentials"; + errorMsg = (ex != null && StringUtils.hasLength(ex.getMessage())) ? ex.getMessage() + : "Invalid credentials"; } } String contextPath = request.getContextPath(); diff --git a/web/src/test/java/org/springframework/security/web/authentication/DefaultLoginPageGeneratingFilterTests.java b/web/src/test/java/org/springframework/security/web/authentication/DefaultLoginPageGeneratingFilterTests.java index 6c683ba8f5..12fdacdcf8 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/DefaultLoginPageGeneratingFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/DefaultLoginPageGeneratingFilterTests.java @@ -171,4 +171,18 @@ public class DefaultLoginPageGeneratingFilterTests { .contains("Google < > " ' &"); } + // gh-13768 + @Test + public void generatesWhenExceptionWithEmptyMessageThenInvalidCredentials() throws Exception { + DefaultLoginPageGeneratingFilter filter = new DefaultLoginPageGeneratingFilter( + new UsernamePasswordAuthenticationFilter()); + filter.setLoginPageUrl(DefaultLoginPageGeneratingFilter.DEFAULT_LOGIN_PAGE_URL); + MockHttpServletRequest request = new MockHttpServletRequest("GET", "/login"); + request.setQueryString("error"); + request.getSession().setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, new BadCredentialsException(null)); + MockHttpServletResponse response = new MockHttpServletResponse(); + filter.doFilter(request, response, this.chain); + assertThat(response.getContentAsString()).contains("Invalid credentials"); + } + }