How can I get the username from a failed login using spring security?

Question

We're using spring security 3.0.5, Java 1.6 and Tomcat 6.0.32. In our .xml config file we've got:

<form-login login-page="/index.html" default-target-url="/postSignin.html" always-use-default-target="true"  authentication-failure-handler-ref="authenticationFailureHandler"/> 

and our authenticationFailureHandler defined as:

<beans:bean id="authenticationFailureHandler" class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">    <beans:property name="exceptionMappings">       <beans:props>     <beans:prop key="org.springframework.security.authentication.BadCredentialsException">/index.html?authenticationFailure=true</beans:prop>     </beans:props>    </beans:property> </beans:bean> 

Java

    @RequestMapping(params={"authenticationFailure=true"}, value ="/index.html")     public String handleInvalidLogin(HttpServletRequest request) {        //...  How can I get the username that was used???        // I've tried:        Object username = request.getAttribute("SPRING_SECURITY_LAST_USERNAME_KEY");        Object username = request.getAttribute("SPRING_SECURITY_LAST_USERNAME");  // deprecated     } 

So we're directing all BadCredentialsExceptions to the index.html and IndexController. In the IndexController I'd like to get the username that was used for the failed login attempt. How can I do this?

Answer 1

Okay so the answer turned out to be something extremely simple yet as far as I can tell, not greatly discussed or documented.

Here's all I had to do (no configurations anywhere just created this class)...

import org.apache.log4j.Logger; import org.springframework.context.ApplicationListener; import org.springframework.security.authentication.event.AuthenticationFailureBadCredentialsEvent; import org.springframework.stereotype.Component;  @Component public class MyApplicationListener implements ApplicationListener<AuthenticationFailureBadCredentialsEvent> {     private static final Logger LOG = Logger.getLogger(MyApplicationListener.class);      @Override     public void onApplicationEvent(AuthenticationFailureBadCredentialsEvent event) {         Object userName = event.getAuthentication().getPrincipal();         Object credentials = event.getAuthentication().getCredentials();         LOG.debug("Failed login using USERNAME [" + userName + "]");         LOG.debug("Failed login using PASSWORD [" + credentials + "]");     } } 

I'm far from a spring security expert so if anyone reads this and knows of a reason we shouldn't do it like this or knows a better way I'd love to hear about it.