Why two formLogin configured in Spring Authorization Server Sample code

Question

I'm checking latest Spring Authorization Server v0.2.0 and found two formLogin() configured on the provided sample authorizationserver.

One is AuthorizationServerConfig.java:

    @Bean
    @Order(Ordered.HIGHEST_PRECEDENCE)
    public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
        OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
        return http.formLogin(Customizer.withDefaults()).build();
    }

Another one is DefaultSecurityConfig.java:

    @Bean
    SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
        http
            .authorizeRequests(authorizeRequests ->
                authorizeRequests.anyRequest().authenticated()
            )
            .formLogin(withDefaults());
        return http.build();
    }

My question is:

• why there are two formLogin()s configured
• If I wanted to customize formLogin() which one should I change?

Answer 1

The reason for the formLogin() configuration in AuthorizationServerConfig is purely a "convenience configuration", as it will setup the LoginUrlAuthenticationEntryPoint and perform the redirect to /login when the current request is not authenticated.

For example, when the client is redirected to /oauth2/authorize and the user is not authenticated, the user will be redirected to /login, which will match on the SecurityFilterChain defined by DefaultSecurityConfig NOT AuthorizationServerConfig.

Basically, the formLogin() in AuthorizationServerConfig serves the sole purpose of performing the redirect to /login, which is ultimately matched on the DefaultSecurityConfig SecurityFilterChain.