Ldap invalid credentials not loading authentication failure url

Question

Able to do the custom ldap authentication for external db authorities. But when i am trying to test wrong password the authentication failure url is not showing instead my browser prints the exception details.Below is my securitycontext.xml and exption given

    <logout logout-success-url="/index.jsp" />
    <form-login authentication-failure-url="/index.jsp?error=1" default-target-url="/home.jsp" />
    <anonymous/>
</http>

<b:bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
    <b:property name="decisionVoters">
        <b:list>
            <b:ref bean="roleVoter" />
            <b:ref bean="authenticatedVoter" />
        </b:list>
    </b:property>
</b:bean>

<b:bean id="roleVoter" class="org.springframework.security.vote.RoleVoter">
    <b:property name="rolePrefix" value="PRIV_" />
</b:bean>
<b:bean id="authenticatedVoter" class="org.springframework.security.vote.AuthenticatedVoter">
</b:bean>

<b:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
    <b:constructor-arg value="ldap://mydomain:389" />
</b:bean>
<b:bean id="ldapTemplate" class="org.springframework.ldap.core.LdapTemplate">
    <b:constructor-arg ref="contextSource" />
</b:bean>

<b:bean id="ldapAuthenticationProvider"
        class="com.zo.sas.gwt.security.login.server.SASLdapAuthenticationProvider">
        <b:property name="authenticator" ref="ldapAuthenticator" />
        <custom-authentication-provider />
</b:bean>

<b:bean id="ldapAuthenticator"
        class="com.zo.sas.gwt.security.login.server.SASAuthenticator">
        <b:property name="contextSource" ref="contextSource" />
        <b:property name="userDnPatterns">
            <b:value>uid={0},OU=People</b:value>
        </b:property>
</b:bean>

and my exception logs.....

exception

org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials] org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:180) org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:266) org.springframework.ldap.core.support.AbstractContextSource.getContext(AbstractContextSource.java:106) com.zo.sas.gwt.security.login.server.SASAuthenticator.authenticate(SASAuthenticator.java:55) com.zo.sas.gwt.security.login.server.SASLdapAuthenticationProvider.authenticate(SASLdapAuthenticationProvider.java:45) org.springframework.security.providers.ProviderManager.doAuthentication(ProviderManager.java:188) org.springframework.security.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:46) org.springframework.security.ui.webapp.AuthenticationProcessingFilter.attemptAuthentication(AuthenticationProcessingFilter.java:82) org.springframework.security.ui.AbstractProcessingFilter.doFilterHttp(AbstractProcessingFilter.java:258) org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53) org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390) org.springframework.security.ui.logout.LogoutFilter.doFilterHttp(LogoutFilter.java:89) org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53) org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390) org.springframework.security.context.HttpSessionContextIntegrationFilter.doFilterHttp(HttpSessionContextIntegrationFilter.java:235) org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53) org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390) org.springframework.security.util.FilterChainProxy.doFilter(FilterChainProxy.java:175) org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:183) org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:138)

This is my index.jsp

var dictionary = { loginErr: "${SPRING_SECURITY_LAST_EXCEPTION.message}", error: "${param.error}" };

<head>
</head>
<body >
   <iframe src="javascript:''" id="__gwt_historyFrame" style="width:0;height:0;border:0"></iframe>

 <script type="text/javascript" language="javascript" src="com.zo.sas.gwt.sasworkflow.home.Home.nocache.js"></script>
</body>

Answer 1

Hi, that log doesn't say much. You should put org.springframework to log at DEBUG level and see what is going on.
Look for this messages: "Updated SecurityContextHolder to contain null Authentication" and "Authentication request failed: ", after that there must be a redirect to index.jsp.
What is the code of index.jsp?

Answer 2

This is the correct error message, LDAP: error code 49 - Invalid Credentials, maybe not the format that you wanted though.

The LDAP server should pass a subcode for the reason, Active Directory has a list:
AD LDAP 49 codes and eDirectory will send usually a 669 error for bad password of 601 for bad DN. Though I think that changed in the last couple of versions, and they all show up as 669 errors on eDirectory, so as not to help attackers determine real user names.