当用户名或密码登陆失败时,主流程在UsernamePasswordAuthenticationFilter的doFilter方法中。
如UsernamePasswordAuthenticationFilter中providerManager的authenticate方法认证失败抛出异常捕获后调用
protected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response,
AuthenticationException failed) throws IOException, ServletException {
//清除SecurityContextHolder中的内容
SecurityContextHolder.clearContext();
if (logger.isDebugEnabled()) {
logger.debug("Authentication request failed: " + failed.toString());
logger.debug("Updated SecurityContextHolder to contain null Authentication");
logger.debug("Delegating to authentication failure handler" + failureHandler);
}
rememberMeServices.loginFail(request, response);
//这边默认会将异常放入session中,并且重定向到登陆页面。页面上捕获session的内容就能显示
//request.getSession().setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, exception);
failureHandler.onAuthenticationFailure(request, response, failed);
}