Is there a way to disable default "/login" on Spring Security 4.x?

Question

When Spring Security evolved from version 3.2.x to 4.0.0, multiple modifications became required when using XML based configuration, as stated in the Migration reference. After following throught, I'm still struggling with a few issues regarding the new form-login@login-processing-url attribute. Even though I have specified it to continue using /j_spring_security_check as path, it keeps the new /login path active.

I have been using Spring Security along with SpringMVC and began developing with version 3.2.7. I have a Controller mapping the path /login to a page that shows the login form and depending on possible parameters received shows a certain error message. Below is my controller

@Controller
public class LoginController {

    @RequestMapping(value = "/login", method = RequestMethod.GET)
    public String login(@RequestParam(value = "error", required = false) String error,
                        @RequestParam(value = "logout", required = false) String logout,
                        Model model) {

        if (error != null) {
            model.addAttribute("error", "Usuário e senha inválidos.");
        }

        if (logout != null) {
            model.addAttribute("msg", "Logout bem sucedido.");
        }

        return "login";
    }
}

In version 3.2, my spring-security.xml file specified the form-login@login-page parameter to /login, therefore showing my personalized login form (the same path was used for <logout>).

Now, even though I have explicitily configured form-login@login-processing-url, the /login still redirects to spring security's default login page. Besides it, even though I have also specified a logout@logout-url attribute, when login out spring still redirects me to the default login-form with the "logout successful" message, instead of my own controller to show my personalized logout message.

When I use the /login? path, the application shows my own login form, but if I call /login?logout or /login?error, which would, respectively, show my logout and error messages, Spring redirects to the default login page.

Question: Is there a way to fully disable the /login redirection?

I know I could simply change my personalized path to something else instead, such as /signin and avoid the confusion, but I'm doing it as an exercice to understand more about Spring Security 4.x. Besides, I'm concerned an user typing the URL instead of navigating through links would simply drop on spring's default login page.

Additionally, follows an excerpt of my spring-security.xml file, already adapted to version 4.x.

<http auto-config="true" use-expressions="true" disable-url-rewriting="true">
    <access-denied-handler error-page="/403" />
    <intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
    <intercept-url pattern="/power/**" access="hasRole('ROLE_POWER_USER')" />
    <form-login 
        login-page="/login"  <!-- my controller -->
        default-target-url="/" 
        login-processing-url="/j_spring_security_check" <!-- to reproduce 3.2 behaviour -->
        authentication-failure-url="/login?error" 
        username-parameter="username"
        password-parameter="password" />
    <logout logout-success-url="/login?logout" 
            logout-url="/j_spring_security_logout"/>
    <headers disabled="true"/>
    <csrf disabled="false"/> <!-- I know it could be ommited -->
</http>

UPDATE (04/16/2015): Looks like a bug on version 4.0.0. Check my answer.

Answer 1

What you need to do is implement a custom AuthenticationEntryPoint to turn off login redirect (which is set to default).

Here is some starter reading information:

http://docs.spring.io/spring-security/site/docs/4.0.0.RELEASE/reference/htmlsingle/#auth-entry-point

Here is also a example of how it is implemented:

http://krams915.blogspot.com.au/2010/12/spring-security-mvc-integration-using_26.html