1 tahun lalu · bcef8f98aa
--- a/web/src/main/java/org/springframework/security/web/authentication/ui/DefaultLoginPageGeneratingFilter.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/ui/DefaultLoginPageGeneratingFilter.java
@@ -35,6 +35,7 @@ import org.springframework.security.web.WebAttributes;
 
				 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
			
 
				 import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices;
			
 
				 import org.springframework.util.Assert;
			
 
				+import org.springframework.util.StringUtils;
			
 
				 import org.springframework.web.filter.GenericFilterBean;
			
 
				 import org.springframework.web.util.HtmlUtils;
			
 
				 
			
@@ -266,11 +267,17 @@ public class DefaultLoginPageGeneratingFilter extends GenericFilterBean {
 
				 
			
 
				 	private String getLoginErrorMessage(HttpServletRequest request) {
			
 
				 		HttpSession session = request.getSession(false);
			
 
				-		if (session != null && session
			
 
				-			.getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION) instanceof AuthenticationException exception) {
			
 
				-			return exception.getMessage();
			
 
				+		if (session == null) {
			
 
				+			return "Invalid credentials";
			
 
				 		}
			
 
				-		return "Invalid credentials";
			
 
				+		if (!(session
			
 
				+			.getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION) instanceof AuthenticationException exception)) {
			
 
				+			return "Invalid credentials";
			
 
				+		}
			
 
				+		if (!StringUtils.hasText(exception.getMessage())) {
			
 
				+			return "Invalid credentials";
			
 
				+		}
			
 
				+		return exception.getMessage();
			
 
				 	}
			
 
				 
			
 
				 	private String renderHiddenInputs(HttpServletRequest request) {
			
--- a/web/src/test/java/org/springframework/security/web/authentication/DefaultLoginPageGeneratingFilterTests.java
+++ b/web/src/test/java/org/springframework/security/web/authentication/DefaultLoginPageGeneratingFilterTests.java
@@ -171,4 +171,18 @@ public class DefaultLoginPageGeneratingFilterTests {
 
				 			.contains("<a href=\"/saml/sso/google\">Google &lt; &gt; &quot; &#39; &amp;</a>");
			
 
				 	}
			
 
				 
			
 
				+	// gh-13768
			
 
				+	@Test
			
 
				+	public void generatesWhenExceptionWithEmptyMessageThenInvalidCredentials() throws Exception {
			
 
				+		DefaultLoginPageGeneratingFilter filter = new DefaultLoginPageGeneratingFilter(
			
 
				+				new UsernamePasswordAuthenticationFilter());
			
 
				+		filter.setLoginPageUrl(DefaultLoginPageGeneratingFilter.DEFAULT_LOGIN_PAGE_URL);
			
 
				+		MockHttpServletRequest request = new MockHttpServletRequest("GET", "/login");
			
 
				+		request.setQueryString("error");
			
 
				+		request.getSession().setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, new BadCredentialsException(null));
			
 
				+		MockHttpServletResponse response = new MockHttpServletResponse();
			
 
				+		filter.doFilter(request, response, this.chain);
			
 
				+		assertThat(response.getContentAsString()).contains("Invalid credentials");
			
 
				+	}
			
 
				+
			
 
				 }