Closed
Description
The current documentation uses a @ControllerAdvice to handle the CompromisedPasswordException and redirect the user to the /reset-password page:
@ControllerAdvice
public class MyControllerAdvice {
@ExceptionHandler(CompromisedPasswordException.class)
public String handleCompromisedPasswordException(CompromisedPasswordException ex, RedirectAttributes attributes) {
attributes.addFlashAttribute("error", ex.message);
return "redirect:/reset-password";
}
}The Controller Advice won't work for handling compromised passwords when the check is done by Spring Security because the Filter happens before the advice can be applied. Instead, a failureHandler should be used in the formLogin DSL.