I am working on an application using Spring Security 3.1.0. A piece of functionality that I need to modify is being driven by SPRING_SECURITY_LAST_EXCEPTION being set as an certain type of attribute. I do not see any code from my organization that is setting an attribute by this name, so I have guessed that this is being set by Spring Security.

My suspicion that it was not a name we made up was confirmed when I found many forum messages and 'how-to' blog posts referencing SPRING_SECURITY_LAST_EXCEPTION that don't address my actual issue. I still can't say what kind of attribute it is, because I have not found any documentation of how this attribute gets set and what is properties are.

Please show me where I have failed to look in order to find the documentation explaining how this property gets set and what its attributes are.

The class WebAttributes contains a constant named AUTHENTICATION_EXCEPTION. This is used to set a request attribute or session attribute (depending if forwarding or redirecting is used) with the name of SPRING_SECURITY_LAST_EXCEPTION and value of the last AuthenticationException in SimpleUrlAuthenticationFailureHandler.

NOTES

• It is generally not a good idea to use SPRING_SECURITY_LAST_EXCEPTION for error messages since it displays information an attacker can use.
• I would recommend updating to Spring Security 3.2.7.RELEASE. This should be passive and will fix any vulnerabilities that are present in older versions. Eventually you should spend the time to update to Spring Security 4, but this is a little more involved since it includes some non passive changes.