Spring Security AuthenticationException persistent?

I'm using Spring MVC and Spring Security on a project, and am implementing a login form with it. I've run into a sort of strange behaviour, which I wouldn't expect, and I was wondering if there is a way to avoid it.

When there is an authentication error on the login form, I have a method in my controller to handle it:

@RequestMapping(value="/failed", method = RequestMethod.GET)
public String showLoginFailurePage(Model model, HttpServletRequest request) {
    String authExClass = "";
    AuthenticationException authEx = (AuthenticationException) request.getSession().getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION);

    if (authEx != null) {
      authExClass = authEx.getClass().getSimpleName();
    }
    model.addAttribute("authExClass", authExClass);
    return LOGIN_PAGE;
  }

This works initially, allowing me to display an error when an authentication error occurs. However, if I refresh the page, I would expect that the AuthenticationException would no lon开发者_JAVA百科ger be attached to the session, and thus I wouldn't display an error to the user. However, it seems that the exception persists beyond a refresh. Do I have an incorrect assumption? Should I not be using my request object this way?

Thanks! idbentley

Well, does any code clear the AUTHENTICATION_EXCEPTION from the Session? Spring Security may not automatically clear this from the session until an another authorization attempt is successful - I think you are assuming that this session attribute is automatically removed.

You may want to clear this attribute from the session yourself to not display it again.