Login Controller - clarifying loginHandler usage

[alexanderankin]

Hi all,

my application.yaml for context

micronaut:
  application:
    name: my-application
  security:
    authentication: session
    redirect:
      unauthorized.url: /login # default is / and we want to let users log in
      prior-to-login: true # redirect user back to page they wanted

    # simply using defaults here:
    #endpoints:
    #  login:
    #    enabled: true
    #    path: /login

  server:
    port: 8080

  router:
    static-resources:
      default:
        paths:
          - classpath:/public

I am trying to implement the same functionality as spring's formLogin configuration and i notice that there is some special handling to pull the auth failure out of the session.

For Micronaut's case, it doesn't save the outcome into the session and, lets say that is a job for the login handler - well, it isn't called in the event of no authenticator response. This potentially leaks the case of no AuthenticationProvider configured to the user (never the case in spring, it auto-generates a username/password and prints it out on startup - based on spring.security.user.{name,password}).

I think my best bet is to @Replaces the SessionLoginHandler and, before calling super, set an attribute on the request with the AuthenticationResponse's message, with a fallback to "authentication failed (no additional information)". Not sure if i am missing a better way to do it.