Spring Security does allow you to configure multiple AuthenticationEntryPoint for your application, if needed.
Since Spring Security 3.0.2, org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint looks at all declared AuthenticationEntryPoint in the configurations and executes them.
Since Spring Security 5.x, we have org.springframework.security.web.server.DelegatingServerAuthenticationEntryPoint, which uses reactive data types and brings in asynchronous nature to its execution.
The defaultAuthenticationEntryPointFor() method in the Spring Security configuration can also be employed to set up multiple entry points looking at different URL matching (see the following code snippet):
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/public").permitAll()
.anyRequest().authenticated()
.and()
.httpBasic()
.defaultAuthenticationEntryPointFor(
loginUrlAuthenticationEntryPointUser(),
new AntPathRequestMatcher("/secured/user/**"))
.defaultAuthenticationEntryPointFor(
loginUrlAuthenticationEntryPointAdmin(),
new AntPathRequestMatcher("/secured/admin/**"));
}
@Bean
public AuthenticationEntryPoint loginUrlAuthenticationEntryPointUser(){
return new LoginUrlAuthenticationEntryPoint("/userAuth");
}
@Bean
public AuthenticationEntryPoint loginUrlAuthenticationEntryPointAdmin(){
return new LoginUrlAuthenticationEntryPoint("/adminAuth");
}