What is the simplest way to override BasicAuthenticationEntryPoint in SpringSecurity 4?

Question

I was not able to find on SO the answer (e.g. here. Spring Security: Commence method in class extending BasicAuthenticationEntryPoint no being called)

I just want to override BasicAuthenticationEntryPoint without override other filters and other staff:

<bean id="authenticationEntryPoint" name="authenticationEntryPoint"
      class="com.myclass.BasicAuthenticationEntryPoint">
    <property name="realmName" value="myapp" />
</bean>

Unfortunately, it does not work and I need to configure filter.

<security:http auto-config="true" ..
<sec:custom-filter ref="basicAuthenticationFilter"
                                before="BASIC_AUTH_FILTER" />

</sec:http>

<bean id="basicAuthenticationFilter"
      class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
    <constructor-arg name="authenticationManager" ref="authenticationManager" />
    <constructor-arg name="authenticationEntryPoint" ref="authenticationEntryPoint" />
</bean>

Then I have this warning.

WARN 2015-10-29 09:44:05,330 [localhost-startStop-1::DefaultFilterChainValidator] [user:system] Possible error: Filters at position 2 and 3 are both instances of org.springframework.security.web.authentication.www.BasicAuthenticationFilter

Therefore I need to disable auto-config but I do not want to do it:

<security:http auto-config="false" ...

What is the simplest way to override BasicAuthenticationEntryPoint in SpringSecurity 4?

Answer 1

This works for me with Spring Security 3 (I think it should work for Spring 4), without configuring any filter :

public class CustomBasicAuthenticationEntryPoint extends BasicAuthenticationEntryPoint {

    @Override
    public void commence(final HttpServletRequest request, final HttpServletResponse response, final AuthenticationException authException) throws IOException, ServletException {

        response.setStatus( HttpServletResponse.SC_UNAUTHORIZED);
    }
}

Update :

CustomBasicAuthenticationEntryPoint is a Spring Bean. You have to tell Spring about it. Like in your post (I've just changed its name in my answer) :

<bean id="authenticationEntryPoint" name="authenticationEntryPoint"
      class="com.myclass.CustomBasicAuthenticationEntryPoint">
    <property name="realmName" value="myapp" />
</bean>

You need also to tell Spring Security to use this bean as entry point instead of default one :

<security:http entry-point-ref="authenticationEntryPoint" ...

Default configuration redirect the client to a login page when not authenticated. When you override this default behaviour, you only send a 401 code status (unauthenticated) and you don't redirect the client.