Search code examples

What is the simplest way to override BasicAuthenticationEntryPoint in SpringSecurity 4?

I was not able to find on SO the answer (e.g. here. Spring Security: Commence method in class extending BasicAuthenticationEntryPoint no being called)

I just want to override BasicAuthenticationEntryPoint without override other filters and other staff:

<bean id="authenticationEntryPoint" name="authenticationEntryPoint"
    <property name="realmName" value="myapp" />

Unfortunately, it does not work and I need to configure filter.

<security:http auto-config="true" ..
<sec:custom-filter ref="basicAuthenticationFilter"
                                before="BASIC_AUTH_FILTER" />


<bean id="basicAuthenticationFilter"
    <constructor-arg name="authenticationManager" ref="authenticationManager" />
    <constructor-arg name="authenticationEntryPoint" ref="authenticationEntryPoint" />

Then I have this warning.

WARN 2015-10-29 09:44:05,330 [localhost-startStop-1::DefaultFilterChainValidator] [user:system] Possible error: Filters at position 2 and 3 are both instances of

Therefore I need to disable auto-config but I do not want to do it:

<security:http auto-config="false" ...

What is the simplest way to override BasicAuthenticationEntryPoint in SpringSecurity 4?


  • This works for me with Spring Security 3 (I think it should work for Spring 4), without configuring any filter :

    public class CustomBasicAuthenticationEntryPoint extends BasicAuthenticationEntryPoint {
        public void commence(final HttpServletRequest request, final HttpServletResponse response, final AuthenticationException authException) throws IOException, ServletException {
            response.setStatus( HttpServletResponse.SC_UNAUTHORIZED);

    Update :

    CustomBasicAuthenticationEntryPoint is a Spring Bean. You have to tell Spring about it. Like in your post (I've just changed its name in my answer) :

    <bean id="authenticationEntryPoint" name="authenticationEntryPoint"
        <property name="realmName" value="myapp" />

    You need also to tell Spring Security to use this bean as entry point instead of default one :

    <security:http entry-point-ref="authenticationEntryPoint" ...

    Default configuration redirect the client to a login page when not authenticated. When you override this default behaviour, you only send a 401 code status (unauthenticated) and you don't redirect the client.