diff --git a/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java b/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java index 72de83f565..b1a1bd1239 100755 --- a/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java +++ b/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java @@ -167,8 +167,9 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi } /** - * Ensures the authentication object in the secure context is set to null - * when authentication fails. + * Ensures the authentication object in the secure context is set to null when authentication fails. + *

+ * Caches the failure exception as a request attribute */ protected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed) { SecurityContextHolder.clearContext(); @@ -176,7 +177,7 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi if (logger.isDebugEnabled()) { logger.debug("Cleared security context due to exception", failed); } - request.getSession().setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, failed); + request.setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, failed); } /**