6 月之前 · c4b223266c
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/DefaultLoginPageConfigurerTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/DefaultLoginPageConfigurerTests.java
@@ -22,14 +22,12 @@ import org.junit.jupiter.api.extension.ExtendWith;
 
				 import org.springframework.beans.factory.annotation.Autowired;
			
 
				 import org.springframework.context.annotation.Bean;
			
 
				 import org.springframework.context.annotation.Configuration;
			
 
				-import org.springframework.context.support.MessageSourceAccessor;
			
 
				 import org.springframework.mock.web.MockHttpSession;
			
 
				 import org.springframework.security.config.ObjectPostProcessor;
			
 
				 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
			
 
				 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
			
 
				 import org.springframework.security.config.test.SpringTestContext;
			
 
				 import org.springframework.security.config.test.SpringTestContextExtension;
			
 
				-import org.springframework.security.core.SpringSecurityMessageSource;
			
 
				 import org.springframework.security.core.userdetails.PasswordEncodedUser;
			
 
				 import org.springframework.security.core.userdetails.UserDetailsService;
			
 
				 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
			
@@ -77,8 +75,6 @@ public class DefaultLoginPageConfigurerTests {
 
				 	@Autowired
			
 
				 	MockMvc mvc;
			
 
				 
			
 
				-	MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();
			
 
				-
			
 
				 	@Test
			
 
				 	public void getWhenFormLoginEnabledThenRedirectsToLoginPage() throws Exception {
			
 
				 		this.spring.register(DefaultLoginPageConfig.class).autowire();
			
@@ -148,8 +144,7 @@ public class DefaultLoginPageConfigurerTests {
 
				 		this.mvc.perform(get("/login?error").session((MockHttpSession) mvcResult.getRequest().getSession())
			
 
				 				.sessionAttr(csrfAttributeName, csrfToken))
			
 
				 				.andExpect((result) -> {
			
 
				-					String badCredentialsLocalizedMessage = this.messages
			
 
				-							.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials");
			
 
				+					String defaultErrorMessage = "Invalid credentials";
			
 
				 					CsrfToken token = (CsrfToken) result.getRequest().getAttribute(CsrfToken.class.getName());
			
 
				 					assertThat(result.getResponse().getContentAsString()).isEqualTo("""
			
 
				 						<!DOCTYPE html>
			
@@ -184,7 +179,7 @@ public class DefaultLoginPageConfigurerTests {
 
				 
			
 
				 						    </div>
			
 
				 						  </body>
			
 
				-						</html>""".formatted(badCredentialsLocalizedMessage, token.getToken()));
			
 
				+						</html>""".formatted(defaultErrorMessage, token.getToken()));
			
 
				 				});
			
 
				 		// @formatter:on
			
 
				 	}
			
--- a/web/src/main/java/org/springframework/security/web/authentication/ui/DefaultLoginPageGeneratingFilter.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/ui/DefaultLoginPageGeneratingFilter.java
@@ -29,14 +29,10 @@ import jakarta.servlet.ServletRequest;
 
				 import jakarta.servlet.ServletResponse;
			
 
				 import jakarta.servlet.http.HttpServletRequest;
			
 
				 import jakarta.servlet.http.HttpServletResponse;
			
 
				-import jakarta.servlet.http.HttpSession;
			
 
				 
			
 
				-import org.springframework.security.core.AuthenticationException;
			
 
				-import org.springframework.security.web.WebAttributes;
			
 
				 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
			
 
				 import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices;
			
 
				 import org.springframework.util.Assert;
			
 
				-import org.springframework.util.StringUtils;
			
 
				 import org.springframework.web.filter.GenericFilterBean;
			
 
				 
			
 
				 /**
			
@@ -221,7 +217,7 @@ public class DefaultLoginPageGeneratingFilter extends GenericFilterBean {
 
				 	}
			
 
				 
			
 
				 	private String generateLoginPageHtml(HttpServletRequest request, boolean loginError, boolean logoutSuccess) {
			
 
				-		String errorMsg = loginError ? getLoginErrorMessage(request) : "Invalid credentials";
			
 
				+		String errorMsg = "Invalid credentials";
			
 
				 		String contextPath = request.getContextPath();
			
 
				 
			
 
				 		return HtmlTemplates.fromTemplate(LOGIN_PAGE_TEMPLATE)
			
@@ -358,21 +354,6 @@ public class DefaultLoginPageGeneratingFilter extends GenericFilterBean {
 
				 			.render();
			
 
				 	}
			
 
				 
			
 
				-	private String getLoginErrorMessage(HttpServletRequest request) {
			
 
				-		HttpSession session = request.getSession(false);
			
 
				-		if (session == null) {
			
 
				-			return "Invalid credentials";
			
 
				-		}
			
 
				-		if (!(session
			
 
				-			.getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION) instanceof AuthenticationException exception)) {
			
 
				-			return "Invalid credentials";
			
 
				-		}
			
 
				-		if (!StringUtils.hasText(exception.getMessage())) {
			
 
				-			return "Invalid credentials";
			
 
				-		}
			
 
				-		return exception.getMessage();
			
 
				-	}
			
 
				-
			
 
				 	private String renderHiddenInput(String name, String value) {
			
 
				 		return HtmlTemplates.fromTemplate(HIDDEN_HTML_INPUT_TEMPLATE)
			
 
				 			.withValue("name", name)
			
--- a/web/src/test/java/org/springframework/security/web/authentication/DefaultLoginPageGeneratingFilterTests.java
+++ b/web/src/test/java/org/springframework/security/web/authentication/DefaultLoginPageGeneratingFilterTests.java
@@ -18,17 +18,14 @@ package org.springframework.security.web.authentication;
 
				 
			
 
				 import java.io.IOException;
			
 
				 import java.util.Collections;
			
 
				-import java.util.Locale;
			
 
				 
			
 
				 import jakarta.servlet.FilterChain;
			
 
				 import jakarta.servlet.ServletException;
			
 
				 import org.junit.jupiter.api.Test;
			
 
				 
			
 
				-import org.springframework.context.support.MessageSourceAccessor;
			
 
				 import org.springframework.mock.web.MockHttpServletRequest;
			
 
				 import org.springframework.mock.web.MockHttpServletResponse;
			
 
				 import org.springframework.security.authentication.BadCredentialsException;
			
 
				-import org.springframework.security.core.SpringSecurityMessageSource;
			
 
				 import org.springframework.security.web.WebAttributes;
			
 
				 import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
			
 
				 
			
@@ -128,22 +125,6 @@ public class DefaultLoginPageGeneratingFilterTests {
 
				 		assertThat(response.getContentAsString()).isEmpty();
			
 
				 	}
			
 
				 
			
 
				-	/* SEC-1111 */
			
 
				-	@Test
			
 
				-	public void handlesNonIso8859CharsInErrorMessage() throws Exception {
			
 
				-		DefaultLoginPageGeneratingFilter filter = new DefaultLoginPageGeneratingFilter(
			
 
				-				new UsernamePasswordAuthenticationFilter());
			
 
				-		MockHttpServletRequest request = new MockHttpServletRequest("GET", "/login");
			
 
				-		MockHttpServletResponse response = new MockHttpServletResponse();
			
 
				-		request.setQueryString("error");
			
 
				-		MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();
			
 
				-		String message = messages.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials",
			
 
				-				"Bad credentials", Locale.KOREA);
			
 
				-		request.getSession().setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, new BadCredentialsException(message));
			
 
				-		filter.doFilter(request, response, this.chain);
			
 
				-		assertThat(response.getContentAsString()).contains(message);
			
 
				-	}
			
 
				-
			
 
				 	// gh-5394
			
 
				 	@Test
			
 
				 	public void generatesForOAuth2LoginAndEscapesClientName() throws Exception {
			
@@ -244,7 +225,7 @@ public class DefaultLoginPageGeneratingFilterTests {
 
				 				    <div class="content">
			
 
				 				      <form class="login-form" method="post" action="null">
			
 
				 				        <h2>Please sign in</h2>
			
 
				-				<div class="alert alert-danger" role="alert">Bad credentials</div>
			
 
				+				<div class="alert alert-danger" role="alert">Invalid credentials</div>
			
 
				 				        <p>
			
 
				 				          <label for="username" class="screenreader">Username</label>
			
 
				 				          <input type="text" id="username" name="username" placeholder="Username" required autofocus>
			
@@ -259,12 +240,12 @@ public class DefaultLoginPageGeneratingFilterTests {
 
				 				      </form>
			
 
				 
			
 
				 				<h2>Login with OAuth 2.0</h2>
			
 
				-				<div class="alert alert-danger" role="alert">Bad credentials</div>
			
 
				+				<div class="alert alert-danger" role="alert">Invalid credentials</div>
			
 
				 				<table class="table table-striped">
			
 
				 				  <tr><td><a href="/oauth2/authorization/google">Google &lt; &gt; &quot; &#39; &amp;</a></td></tr>
			
 
				 				</table>
			
 
				 				<h2>Login with SAML 2.0</h2>
			
 
				-				<div class="alert alert-danger" role="alert">Bad credentials</div>
			
 
				+				<div class="alert alert-danger" role="alert">Invalid credentials</div>
			
 
				 				<table class="table table-striped">
			
 
				 				  <tr><td><a href="/saml/sso/google">Google &lt; &gt; &quot; &#39; &amp;</a></td></tr>
			
 
				 				</table>