Vaadin LoginForm Failure Handler Breaks login?error URL-CodePudding

I'm using the Vaadin LoginForm with Spring Security in a Spring Boot project. By default it redirects to /login?error if authentication fails for any reason. I want to redirect for certain failures, specifically if the user hasn't validated their email yet. I'm trying to use the failureHandler feature to do this, but as soon as I create one, the /login?error URL suddenly requires the user to be authenticated, while /login functions as normal.

My login view:

@PageTitle("Login")
@Route("login", layout = MainLayout::class)
class LoginView : VerticalLayout(), BeforeEnterObserver {
    private val loginForm: LoginForm

    init {
        alignItems = FlexComponent.Alignment.CENTER
        className = "login-view"
        width = LumoUtility.Width.AUTO


        loginForm = loginForm { action = "login" }
        button("Register") {
            onLeftClick { ui.ifPresent { it.navigate("register")} }
        }
    }

    override fun beforeEnter(beforeEnterEvent: BeforeEnterEvent) {
        if (beforeEnterEvent.location.queryParameters.parameters.containsKey("error")) {
            loginForm.isError = true
        }
    }
}

My security configuration:

@Configuration
@EnableWebSecurity
class SecurityConfiguration : VaadinWebSecurityConfigurerAdapter() {

    @Throws(Exception::class)
    override fun configure(http: HttpSecurity) {

        http.formLogin()
            .failureHandler(object : SimpleUrlAuthenticationFailureHandler() {
                override fun onAuthenticationFailure(
                    request: HttpServletRequest?,
                    response: HttpServletResponse?,
                    exception: AuthenticationException?
                ) {
                    super.onAuthenticationFailure(request, response, exception)
                }
            })

        super.configure(http)
        setLoginView(http, LoginView::class.java)
    }

As you can see, all I did was add a failureHandler in my security configuration function that simply calls the default failureHandler, but that is enough to break the /login?error. If I remove that failureHandler, then it works as expected and shows the /login?error URL when login fails. How do I get this to work?

CodePudding user response：

You setting a failureHandler overrides the default of simply redirecting to /login?error (and automatically configuring this URL to not require authentication). Looking at the code you can only have one AuthenticationFailureHandler.