As the LoginFilter does call the beforeLogin method of the interceptors but this method may not throw an AuthenticatorException it is not possible to effectively prevent a login by the use of such an interceptor. But this might be desired if for example users should be disabled. Therefore I would suggest to either add AuthenticatorException within the throws clause of the beforeLogin method or to add a special runtime exception "InterceptorException" that is handled within the LoginFilter in such a way that if it occurs the LOGIN_FAILED attribute is set. So the following code sniplet shows a possible solution within the LoginFilter for this issue.

try
{
for (Iterator iterator = interceptors.iterator(); iterator.hasNext()

{ LoginInterceptor loginInterceptor = (LoginInterceptor) iterator.next(); loginInterceptor.beforeLogin(request, response, username, password, persistentLogin); }

loggedIn = getAuthenticator().login(request, response, username, password, persistentLogin);

if (loggedIn)

{ log.debug("Login was successful - setting attribute to \"Success\""); request.setAttribute(OS_AUTHSTATUS_KEY, LOGIN_SUCCESS); }

else

{ log.debug("Login was not successful - setting attribute to \"Failed\""); request.setAttribute(OS_AUTHSTATUS_KEY, LOGIN_FAILED); }

}
catch (InterceptorException e)

{ log.debug("Login was not successful - setting attribute to \"Failed\""); request.setAttribute(OS_AUTHSTATUS_KEY, LOGIN_FAILED); }

catch (AuthenticatorException e)

{ log.debug("Login was not successful, and exception was thrown - setting attribute to \"Error\""); request.setAttribute(OS_AUTHSTATUS_KEY, LOGIN_ERROR); e.printStackTrace(); log.warn("Exception was thrown whilst logging in: " + e.getMessage(), e); }