How to define a custom AuthenticationEntryPoint without XML configuration

Question

I've been struggling for a few days now. I'm kind of new in Spring Boot, and like the idea of not using XML configuration.

I created a RESTfull application (with JSON). I'm following this tutorial to configure authentication properly.

I think I managed to reproduce almost all of its configurations using Java configuration, except for one thing - AuthenticationEntryPoint

The tutorial uses a property in http tag like this and defines a formLogin in the following way:

<http entry-point-ref="restAuthenticationEntryPoint">    <intercept-url pattern="/api/admin/**" access="ROLE_ADMIN"/>    <form-login      authentication-success-handler-ref="mySuccessHandler"      authentication-failure-handler-ref="myFailureHandler"   />    <logout />  </http> 

The AuthenticationEntryPoint explanation in the Spring Security manual says:

AuthenticationEntryPoint can be set using the entry-point-ref attribute on the < http > element.

Doesn't mention anything about how to do it using Java Configuration.

So how can I "register" my own restAuthenticationEntryPoint without XML in order to prevent the redirection to a login form when using formLogin?

Below I will mention what I have tried.

Thank you all.

---

In my attempts, found you can define it using basicAuth like this:

@Configuration @Order(1)                                                         public static class RestWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {      @Override     protected void configure(HttpSecurity http) throws Exception {           if (restAuthenticationEntryPoint == null) {             restAuthenticationEntryPoint = new RestAuthenticationEntryPoint();         }          http             .authorizeRequests()                 .antMatchers("/**").hasAnyRole(Sec.ADMIN,Sec.SUPER_USER) ...         .and()             .httpBasic()                 .authenticationEntryPoint(restAuthenticationEntryPoint) 

But I'm using a form login like this (without the httpBasic part):

        .and()             .formLogin()                 .successHandler(mySavedRequestAwareAuthenticationSuccessHandler)                 .failureHandler(simpleUrlAuthenticationFailureHandler) 

The problem is it redirects to a login form when it doesn't receive credentials. Since this is a REST service it shouldn't.

The documentation for FormLoginConfigurer (the class .formLogin() uses) says:

Shared Objects Created

The following shared objects are populated

AuthenticationEntryPoint 

But couldn't find a way to override it.
Any ideas?

P.S.
Don't think it would be a good idea to override the login form to a custom one that only returns the error.

Answer 1

The quote from the ref docs you provided is pointing you at http.exceptionHandling(). You can set up the shared entry point there.

http.exceptionHandling().authenticationEntryPoint(myEntryPoint);