SEC-1429: Move logic for saving of AuthenticationException into the SimpleUrlAuthenticationFailurehandler from AbstractAuthenticationProcessingFilter. It will also now use request scope if configured to do a forward instead of a redirect.

config/src/main/java/org/springframework/security/config/http/AuthenticationConfigBuilder.java

@@ -163,7 +163,7 @@ final class AuthenticationConfigBuilder {
 
         if (formLoginElt != null || autoConfig) {
             FormLoginBeanDefinitionParser parser = new FormLoginBeanDefinitionParser("/j_spring_security_check",
-                    AUTHENTICATION_PROCESSING_FILTER_CLASS, requestCache, sessionStrategy);
+                    AUTHENTICATION_PROCESSING_FILTER_CLASS, requestCache, sessionStrategy, allowSessionCreation);
 
             parser.parse(formLoginElt, pc);
             formFilter = parser.getFilterBean();
@@ -171,7 +171,7 @@ final class AuthenticationConfigBuilder {
         }
 
         if (formFilter != null) {
-            formFilter.getPropertyValues().addPropertyValue("allowSessionCreation", new Boolean(allowSessionCreation));
+            formFilter.getPropertyValues().addPropertyValue("allowSessionCreation", allowSessionCreation);
             formFilter.getPropertyValues().addPropertyValue("authenticationManager", authManager);
 
             // Id is required by login page filter
@@ -186,7 +186,7 @@ final class AuthenticationConfigBuilder {
 
         if (openIDLoginElt != null) {
             FormLoginBeanDefinitionParser parser = new FormLoginBeanDefinitionParser("/j_spring_openid_security_check",
-                    OPEN_ID_AUTHENTICATION_PROCESSING_FILTER_CLASS, requestCache, sessionStrategy);
+                    OPEN_ID_AUTHENTICATION_PROCESSING_FILTER_CLASS, requestCache, sessionStrategy, allowSessionCreation);
 
             parser.parse(openIDLoginElt, pc);
             openIDFilter = parser.getFilterBean();
@@ -221,7 +221,7 @@ final class AuthenticationConfigBuilder {
         }
 
         if (openIDFilter != null) {
-            openIDFilter.getPropertyValues().addPropertyValue("allowSessionCreation", new Boolean(allowSessionCreation));
+            openIDFilter.getPropertyValues().addPropertyValue("allowSessionCreation", allowSessionCreation);
             openIDFilter.getPropertyValues().addPropertyValue("authenticationManager", authManager);
             // Required by login page filter
             openIDFilterId = pc.getReaderContext().generateBeanName(openIDFilter);
@@ -524,7 +524,8 @@ final class AuthenticationConfigBuilder {
     }
 
     void createUserServiceInjector() {
-        BeanDefinitionBuilder userServiceInjector = BeanDefinitionBuilder.rootBeanDefinition(UserDetailsServiceInjectionBeanPostProcessor.class);
+        BeanDefinitionBuilder userServiceInjector =
+            BeanDefinitionBuilder.rootBeanDefinition(UserDetailsServiceInjectionBeanPostProcessor.class);
         userServiceInjector.addConstructorArgValue(x509ProviderId);
         userServiceInjector.addConstructorArgValue(rememberMeServicesId);
         userServiceInjector.addConstructorArgValue(openIDProviderId);

config/src/main/java/org/springframework/security/config/http/FormLoginBeanDefinitionParser.java

@@ -31,7 +31,8 @@ public class FormLoginBeanDefinitionParser {
     private static final String DEF_FORM_LOGIN_TARGET_URL = "/";
 
     private static final String ATT_FORM_LOGIN_AUTHENTICATION_FAILURE_URL = "authentication-failure-url";
-    private static final String DEF_FORM_LOGIN_AUTHENTICATION_FAILURE_URL = DefaultLoginPageGeneratingFilter.DEFAULT_LOGIN_PAGE_URL + "?" + DefaultLoginPageGeneratingFilter.ERROR_PARAMETER_NAME;
+    private static final String DEF_FORM_LOGIN_AUTHENTICATION_FAILURE_URL =
+        DefaultLoginPageGeneratingFilter.DEFAULT_LOGIN_PAGE_URL + "?" + DefaultLoginPageGeneratingFilter.ERROR_PARAMETER_NAME;
 
     private static final String ATT_SUCCESS_HANDLER_REF = "authentication-success-handler-ref";
     private static final String ATT_FAILURE_HANDLER_REF = "authentication-failure-handler-ref";
@@ -40,17 +41,19 @@ public class FormLoginBeanDefinitionParser {
     private final String filterClassName;
     private final BeanReference requestCache;
     private final BeanReference sessionStrategy;
+    private final boolean allowSessionCreation;
 
     private RootBeanDefinition filterBean;
     private RootBeanDefinition entryPointBean;
     private String loginPage;
 
     FormLoginBeanDefinitionParser(String defaultLoginProcessingUrl, String filterClassName,
-            BeanReference requestCache, BeanReference sessionStrategy) {
+            BeanReference requestCache, BeanReference sessionStrategy, boolean allowSessionCreation) {
         this.defaultLoginProcessingUrl = defaultLoginProcessingUrl;
         this.filterClassName = filterClassName;
         this.requestCache = requestCache;
         this.sessionStrategy = sessionStrategy;
+        this.allowSessionCreation = allowSessionCreation;
     }
 
     public BeanDefinition parse(Element elt, ParserContext pc) {
@@ -135,6 +138,7 @@ public class FormLoginBeanDefinitionParser {
                 }
             }
             failureHandler.addPropertyValue("defaultFailureUrl", authenticationFailureUrl);
+            failureHandler.addPropertyValue("allowSessionCreation", allowSessionCreation);
             filterBuilder.addPropertyValue("authenticationFailureHandler", failureHandler.getBeanDefinition());
         }
 

core/src/test/java/org/springframework/security/core/userdetails/memory/UserMapTests.java

@@ -16,14 +16,12 @@
 package org.springframework.security.core.userdetails.memory;
 
 import static org.junit.Assert.*;
-import junit.framework.TestCase;
 
 import org.junit.Test;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
-import org.springframework.security.core.userdetails.memory.UserMap;
 
 
 /**

web/src/main/java/org/springframework/security/web/WebAttributes.java

@@ -0,0 +1,14 @@
+package org.springframework.security.web;
+
+/**
+ * Well-known keys which are used to store Spring Security information in request or session scope.
+ *
+ * @author Luke Taylor
+ * @since 3.0.3
+ */
+public final class WebAttributes {
+    public static final String ACCESS_DENIED_403 = "SPRING_SECURITY_403_EXCEPTION";
+    public static final String AUTHENTICATION_EXCEPTION = "SPRING_SECURITY_LAST_EXCEPTION";
+    public static final String LAST_USERNAME = "SPRING_SECURITY_LAST_USERNAME";
+    public static final String SAVED_REQUEST = "SPRING_SECURITY_SAVED_REQUEST_KEY";
+}

web/src/main/java/org/springframework/security/web/access/AccessDeniedHandlerImpl.java

@@ -25,6 +25,7 @@ import javax.servlet.http.HttpServletResponse;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.web.WebAttributes;
 
 
 /**
@@ -35,14 +36,17 @@ import org.springframework.security.access.AccessDeniedException;
  * Being a "forward", the <code>SecurityContextHolder</code> will remain
  * populated. This is of benefit if the view (or a tag library or macro) wishes to access the
  * <code>SecurityContextHolder</code>. The request scope will also be populated with the exception itself, available
- * from the key {@link #SPRING_SECURITY_ACCESS_DENIED_EXCEPTION_KEY}.
+ * from the key {@link WebAttributes.ACCESS_DENIED_403}.
  *
  * @author Ben Alex
  */
 public class AccessDeniedHandlerImpl implements AccessDeniedHandler {
     //~ Static fields/initializers =====================================================================================
-
-    public static final String SPRING_SECURITY_ACCESS_DENIED_EXCEPTION_KEY = "SPRING_SECURITY_403_EXCEPTION";
+    /**
+     * @deprecated Use the value in {@link WebAttributes} directly.
+     */
+    @Deprecated
+    public static final String SPRING_SECURITY_ACCESS_DENIED_EXCEPTION_KEY = WebAttributes.ACCESS_DENIED_403;
     protected static final Log logger = LogFactory.getLog(AccessDeniedHandlerImpl.class);
 
     //~ Instance fields ================================================================================================
@@ -56,7 +60,7 @@ public class AccessDeniedHandlerImpl implements AccessDeniedHandler {
         if (!response.isCommitted()) {
             if (errorPage != null) {
                 // Put exception into request scope (perhaps of use to a view)
-                request.setAttribute(SPRING_SECURITY_ACCESS_DENIED_EXCEPTION_KEY, accessDeniedException);
+                request.setAttribute(WebAttributes.ACCESS_DENIED_403, accessDeniedException);
 
                 // Set the 403 status code.
                 response.setStatus(HttpServletResponse.SC_FORBIDDEN);

web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.java

@@ -23,7 +23,6 @@ import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpSession;
 
 import org.springframework.context.ApplicationEventPublisher;
 import org.springframework.context.ApplicationEventPublisherAware;
@@ -37,6 +36,7 @@ import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.SpringSecurityMessageSource;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.WebAttributes;
 import org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy;
 import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
 import org.springframework.security.web.util.UrlUtils;
@@ -76,20 +76,16 @@ import org.springframework.web.filter.GenericFilterBean;
  *
  * <h4>Authentication Failure</h4>
  *
- * If authentication fails, the resulting <tt>AuthenticationException</tt> will be placed into the <tt>HttpSession</tt>
- * with the attribute defined by {@link #SPRING_SECURITY_LAST_EXCEPTION_KEY}. It will then delegate to the configured
- * {@link AuthenticationFailureHandler} to allow the failure information to be conveyed to the client.
- * The default implementation is {@link SimpleUrlAuthenticationFailureHandler}, which sends a 401 error code to the
- * client. It may also be configured with a failure URL as an alternative. Again you can inject whatever
- * behaviour you require here.
+ * If authentication fails, it will delegate to the configured {@link AuthenticationFailureHandler} to allow the
+ * failure information to be conveyed to the client. The default implementation is
+ * {@link SimpleUrlAuthenticationFailureHandler}, which sends a 401 error code to the client. It may also be configured
+ * with a failure URL as an alternative. Again you can inject whatever behaviour you require here.
  *
  * <h4>Event Publication</h4>
  *
- * If authentication is successful, an
- * {@link org.springframework.security.authentication.event.InteractiveAuthenticationSuccessEvent
- * InteractiveAuthenticationSuccessEvent} will be published via the application context. No events will be published if
- * authentication was unsuccessful, because this would generally be recorded via an
- * <tt>AuthenticationManager</tt>-specific application event.
+ * If authentication is successful, an {@link InteractiveAuthenticationSuccessEvent} will be published via the
+ * application context. No events will be published if authentication was unsuccessful, because this would generally be
+ * recorded via an {@code AuthenticationManager}-specific application event.
  * <p>
  * The filter has an optional attribute <tt>invalidateSessionOnSuccessfulAuthentication</tt> that will invalidate
  * the current session on successful authentication. This is to protect against session fixation attacks (see
@@ -106,7 +102,11 @@ public abstract class AbstractAuthenticationProcessingFilter extends GenericFilt
         ApplicationEventPublisherAware, MessageSourceAware {
     //~ Static fields/initializers =====================================================================================
 
-    public static final String SPRING_SECURITY_LAST_EXCEPTION_KEY = "SPRING_SECURITY_LAST_EXCEPTION";
+    /**
+     * @deprecated Use the value in {@link WebAttributes} directly.
+     */
+    @Deprecated
+    public static final String SPRING_SECURITY_LAST_EXCEPTION_KEY = WebAttributes.AUTHENTICATION_EXCEPTION;
 
     //~ Instance fields ================================================================================================
 
@@ -321,12 +321,6 @@ public abstract class AbstractAuthenticationProcessingFilter extends GenericFilt
             logger.debug("Delegating to authentication failure handler" + failureHandler);
         }
 
-        HttpSession session = request.getSession(false);
-
-        if (session != null || allowSessionCreation) {
-            request.getSession().setAttribute(SPRING_SECURITY_LAST_EXCEPTION_KEY, failed);
-        }
-
         rememberMeServices.loginFail(request, response);
 
         failureHandler.onAuthenticationFailure(request, response, failed);

web/src/main/java/org/springframework/security/web/authentication/SimpleUrlAuthenticationFailureHandler.java

@@ -5,10 +5,12 @@ import java.io.IOException;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.WebAttributes;
 import org.springframework.security.web.DefaultRedirectStrategy;
 import org.springframework.security.web.RedirectStrategy;
 import org.springframework.security.web.util.UrlUtils;
@@ -31,6 +33,7 @@ public class SimpleUrlAuthenticationFailureHandler implements AuthenticationFail
 
     private String defaultFailureUrl;
     private boolean forwardToDestination = false;
+    private boolean allowSessionCreation = true;
     private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
 
     public SimpleUrlAuthenticationFailureHandler() {
@@ -40,6 +43,12 @@ public class SimpleUrlAuthenticationFailureHandler implements AuthenticationFail
         setDefaultFailureUrl(defaultFailureUrl);
     }
 
+    /**
+     * Performs the redirect or forward to the {@code defaultFailureUrl} if set, otherwise returns a 401 error code.
+     * <p>
+     * If redirecting or forwarding, {@code saveException} will be called to cache the exception for use in
+     * the target view.
+     */
     public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
             AuthenticationException exception) throws IOException, ServletException {
 
@@ -48,6 +57,8 @@ public class SimpleUrlAuthenticationFailureHandler implements AuthenticationFail
 
             response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Authentication Failed: " + exception.getMessage());
         } else {
+            saveException(request, exception);
+
             if (forwardToDestination) {
                 logger.debug("Forwarding to " + defaultFailureUrl);
 
@@ -59,6 +70,25 @@ public class SimpleUrlAuthenticationFailureHandler implements AuthenticationFail
         }
     }
 
+    /**
+     * Caches the {@code AuthenticationException} for use in view rendering.
+     * <p>
+     * If {@code forwardToDestination} is set to true, request scope will be used, otherwise it will attempt to store
+     * the exception in the session. If there is no session and {@code allowSessionCreation} is {@code true} a session
+     * will be created. Otherwise the exception will not be stored.
+     */
+    protected final void saveException(HttpServletRequest request, AuthenticationException exception) {
+        if (forwardToDestination) {
+            request.setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, exception);
+        } else {
+            HttpSession session = request.getSession(false);
+
+            if (session != null || allowSessionCreation) {
+                request.getSession().setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, exception);
+            }
+        }
+    }
+
     /**
      * The URL which will be used as the failure destination.
      *
@@ -92,4 +122,12 @@ public class SimpleUrlAuthenticationFailureHandler implements AuthenticationFail
     protected RedirectStrategy getRedirectStrategy() {
         return redirectStrategy;
     }
+
+    protected boolean isAllowSessionCreation() {
+        return allowSessionCreation;
+    }
+
+    public void setAllowSessionCreation(boolean allowSessionCreation) {
+        this.allowSessionCreation = allowSessionCreation;
+    }
 }

web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java

@@ -19,7 +19,7 @@ import org.springframework.security.authentication.event.InteractiveAuthenticati
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
+import org.springframework.security.web.WebAttributes;
 import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
 import org.springframework.util.Assert;
 import org.springframework.web.filter.GenericFilterBean;
@@ -176,7 +176,7 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi
         if (logger.isDebugEnabled()) {
             logger.debug("Cleared security context due to exception", failed);
         }
-        request.getSession().setAttribute(AbstractAuthenticationProcessingFilter.SPRING_SECURITY_LAST_EXCEPTION_KEY, failed);
+        request.getSession().setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, failed);
     }
 
     /**

web/src/main/java/org/springframework/security/web/authentication/session/SessionFixationProtectionStrategy.java

@@ -13,7 +13,7 @@ import javax.servlet.http.HttpSession;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.web.savedrequest.DefaultSavedRequest;
+import org.springframework.security.web.WebAttributes;
 
 /**
  * The default implementation of {@link SessionAuthenticationStrategy}.
@@ -44,7 +44,7 @@ public class SessionFixationProtectionStrategy implements SessionAuthenticationS
      * In the case where the attributes will not be migrated, this field allows a list of named attributes
      * which should <em>not</em> be discarded.
      */
-    private List<String> retainedAttributes = Arrays.asList(DefaultSavedRequest.SPRING_SECURITY_SAVED_REQUEST_KEY);
+    private List<String> retainedAttributes = Arrays.asList(WebAttributes.SAVED_REQUEST);
 
     /**
      * If set to <tt>true</tt>, a session will always be created, even if one didn't exist at the start of the request.

web/src/main/java/org/springframework/security/web/authentication/ui/DefaultLoginPageGeneratingFilter.java

@@ -11,6 +11,7 @@ import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.WebAttributes;
 import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices;
@@ -100,7 +101,7 @@ public class DefaultLoginPageGeneratingFilter extends GenericFilterBean {
 
             if(session != null) {
                 lastUser = (String) session.getAttribute(UsernamePasswordAuthenticationFilter.SPRING_SECURITY_LAST_USERNAME_KEY);
-                AuthenticationException ex = (AuthenticationException) session.getAttribute(AbstractAuthenticationProcessingFilter.SPRING_SECURITY_LAST_EXCEPTION_KEY);
+                AuthenticationException ex = (AuthenticationException) session.getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION);
                 errorMsg = ex != null ? ex.getMessage() : "none";
                 if (lastUser == null) {
                     lastUser = "";

web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java

@@ -30,6 +30,7 @@ import javax.servlet.http.HttpServletRequest;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.security.web.PortResolver;
+import org.springframework.security.web.WebAttributes;
 import org.springframework.security.web.util.UrlUtils;
 import org.springframework.util.Assert;
 
@@ -51,8 +52,11 @@ public class DefaultSavedRequest implements SavedRequest {
     //~ Static fields/initializers =====================================================================================
 
     protected static final Log logger = LogFactory.getLog(DefaultSavedRequest.class);
-
-    public static final String SPRING_SECURITY_SAVED_REQUEST_KEY = "SPRING_SECURITY_SAVED_REQUEST_KEY";
+    /**
+     * @deprecated Use the value in {@link WebAttributes} directly.
+     */
+    @Deprecated
+    public static final String SPRING_SECURITY_SAVED_REQUEST_KEY = WebAttributes.SAVED_REQUEST;
 
     private static final String HEADER_IF_NONE_MATCH = "If-None-Match";
 

web/src/main/java/org/springframework/security/web/savedrequest/HttpSessionRequestCache.java

@@ -8,6 +8,7 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.security.web.PortResolver;
 import org.springframework.security.web.PortResolverImpl;
+import org.springframework.security.web.WebAttributes;
 
 /**
  * <tt>RequestCache</tt> which stores the <tt>SavedRequest</tt> in the HttpSession.
@@ -34,7 +35,7 @@ public class HttpSessionRequestCache implements RequestCache {
             if (createSessionAllowed || request.getSession(false) != null) {
                 // Store the HTTP request itself. Used by AbstractAuthenticationProcessingFilter
                 // for redirection after successful authentication (SEC-29)
-                request.getSession().setAttribute(DefaultSavedRequest.SPRING_SECURITY_SAVED_REQUEST_KEY, savedRequest);
+                request.getSession().setAttribute(WebAttributes.SAVED_REQUEST, savedRequest);
                 logger.debug("DefaultSavedRequest added to Session: " + savedRequest);
             }
         }
@@ -45,7 +46,7 @@ public class HttpSessionRequestCache implements RequestCache {
         HttpSession session = currentRequest.getSession(false);
 
         if (session != null) {
-            return (DefaultSavedRequest) session.getAttribute(DefaultSavedRequest.SPRING_SECURITY_SAVED_REQUEST_KEY);
+            return (DefaultSavedRequest) session.getAttribute(WebAttributes.SAVED_REQUEST);
         }
 
         return null;
@@ -56,7 +57,7 @@ public class HttpSessionRequestCache implements RequestCache {
 
         if (session != null) {
             logger.debug("Removing DefaultSavedRequest from session if present");
-            session.removeAttribute(DefaultSavedRequest.SPRING_SECURITY_SAVED_REQUEST_KEY);
+            session.removeAttribute(WebAttributes.SAVED_REQUEST);
         }
     }
 

web/src/test/java/org/springframework/security/web/access/ExceptionTranslationFilterTests.java

@@ -41,6 +41,7 @@ import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.security.web.WebAttributes;
 import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
 import org.springframework.security.web.savedrequest.DefaultSavedRequest;
 import org.springframework.security.web.util.ThrowableAnalyzer;
@@ -65,7 +66,7 @@ public class ExceptionTranslationFilterTests {
             return null;
         }
 
-        DefaultSavedRequest savedRequest = (DefaultSavedRequest) session.getAttribute(DefaultSavedRequest.SPRING_SECURITY_SAVED_REQUEST_KEY);
+        DefaultSavedRequest savedRequest = (DefaultSavedRequest) session.getAttribute(WebAttributes.SAVED_REQUEST);
 
         return savedRequest.getRedirectUrl();
     }
@@ -127,8 +128,7 @@ public class ExceptionTranslationFilterTests {
         MockHttpServletResponse response = new MockHttpServletResponse();
         filter.doFilter(request, response, fc);
         assertEquals(403, response.getStatus());
-        assertEquals(AccessDeniedException.class, request.getAttribute(
-                AccessDeniedHandlerImpl.SPRING_SECURITY_ACCESS_DENIED_EXCEPTION_KEY).getClass());
+        assertEquals(AccessDeniedException.class, request.getAttribute(WebAttributes.ACCESS_DENIED_403).getClass());
     }
 
     @Test
@@ -198,7 +198,7 @@ public class ExceptionTranslationFilterTests {
         doThrow(new BadCredentialsException("")).when(fc).doFilter(any(HttpServletRequest.class), any(HttpServletResponse.class));
         request.setMethod("POST");
         filter.doFilter(request, new MockHttpServletResponse(), fc);
-        assertTrue(request.getSession().getAttribute(DefaultSavedRequest.SPRING_SECURITY_SAVED_REQUEST_KEY) == null);
+        assertTrue(request.getSession().getAttribute(WebAttributes.SAVED_REQUEST) == null);
     }
 
     @Test(expected=IllegalArgumentException.class)

web/src/test/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilterTests.java

@@ -58,6 +58,7 @@ import org.springframework.security.web.savedrequest.DefaultSavedRequest;
  *
  * @author Ben Alex
  */
+@SuppressWarnings("deprecation")
 public class AbstractAuthenticationProcessingFilterTests extends TestCase {
     SavedRequestAwareAuthenticationSuccessHandler successHandler;
     SimpleUrlAuthenticationFailureHandler failureHandler;

web/src/test/java/org/springframework/security/web/authentication/DefaultLoginPageGeneratingFilterTests.java

@@ -16,6 +16,7 @@ import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.SpringSecurityMessageSource;
+import org.springframework.security.web.WebAttributes;
 import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
 
 /**
@@ -67,7 +68,7 @@ public class DefaultLoginPageGeneratingFilterTests {
         String message = messages.getMessage(
                 "AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials", Locale.KOREA);
         System.out.println("Message: " + message);
-        request.getSession().setAttribute(AbstractAuthenticationProcessingFilter.SPRING_SECURITY_LAST_EXCEPTION_KEY, new BadCredentialsException(message));
+        request.getSession().setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, new BadCredentialsException(message));
 
         filter.doFilter(request, new MockHttpServletResponse(), chain);
     }

web/src/test/java/org/springframework/security/web/savedrequest/HttpSessionRequestCacheTests.java

@@ -5,6 +5,7 @@ import static org.junit.Assert.*;
 import org.junit.Test;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.security.web.WebAttributes;
 
 /**
  *
@@ -20,7 +21,7 @@ public class HttpSessionRequestCacheTests {
         MockHttpServletRequest request = new MockHttpServletRequest("GET", "/destination");
         MockHttpServletResponse response = new MockHttpServletResponse();
         cache.saveRequest(request, response);
-        assertNotNull(request.getSession().getAttribute(DefaultSavedRequest.SPRING_SECURITY_SAVED_REQUEST_KEY));
+        assertNotNull(request.getSession().getAttribute(WebAttributes.SAVED_REQUEST));
         assertNotNull(cache.getRequest(request, response));
 
         MockHttpServletRequest newRequest = new MockHttpServletRequest("POST", "/destination");

web/src/test/java/org/springframework/security/web/savedrequest/RequestCacheAwareFilterTests.java

@@ -6,6 +6,7 @@ import org.junit.Test;
 import org.springframework.mock.web.MockFilterChain;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.security.web.WebAttributes;
 
 public class RequestCacheAwareFilterTests {
 
@@ -17,9 +18,9 @@ public class RequestCacheAwareFilterTests {
         MockHttpServletRequest request = new MockHttpServletRequest("POST", "/destination");
         MockHttpServletResponse response = new MockHttpServletResponse();
         cache.saveRequest(request, response);
-        assertNotNull(request.getSession().getAttribute(DefaultSavedRequest.SPRING_SECURITY_SAVED_REQUEST_KEY));
+        assertNotNull(request.getSession().getAttribute(WebAttributes.SAVED_REQUEST));
 
         filter.doFilter(request, response, new MockFilterChain());
-        assertNull(request.getSession().getAttribute(DefaultSavedRequest.SPRING_SECURITY_SAVED_REQUEST_KEY));
+        assertNull(request.getSession().getAttribute(WebAttributes.SAVED_REQUEST));
     }
 }

web/src/test/java/org/springframework/security/web/session/DefaultSessionAuthenticationStrategyTests.java

@@ -10,8 +10,8 @@ import org.junit.Test;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.web.WebAttributes;
 import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy;
-import org.springframework.security.web.savedrequest.DefaultSavedRequest;
 
 /**
  *
@@ -48,12 +48,12 @@ public class DefaultSessionAuthenticationStrategyTests {
         HttpServletRequest request = new MockHttpServletRequest();
         HttpSession session = request.getSession();
         session.setAttribute("blah", "blah");
-        session.setAttribute(DefaultSavedRequest.SPRING_SECURITY_SAVED_REQUEST_KEY, "DefaultSavedRequest");
+        session.setAttribute(WebAttributes.SAVED_REQUEST, "DefaultSavedRequest");
 
         strategy.onAuthentication(mock(Authentication.class), request, new MockHttpServletResponse());
 
         assertNull(request.getSession().getAttribute("blah"));
-        assertNotNull(request.getSession().getAttribute(DefaultSavedRequest.SPRING_SECURITY_SAVED_REQUEST_KEY));
+        assertNotNull(request.getSession().getAttribute(WebAttributes.SAVED_REQUEST));
     }
 
     @Test