Address PR review feedback for HTMX entry point

- Add response.setCharacterEncoding("UTF-8") and use
  application/json;charset=UTF-8 content type
- Escape newline, carriage return, and tab in loginUrl JSON output
- Change startup INFO logs to DEBUG (less noise in consuming apps)
- Add @primary to library's AuthenticationEntryPoint bean to prevent
  NoUniqueBeanDefinitionException if consumer has multiple entry points
- Add comment explaining intent of null AuthenticationFailureHandler
- Fix import ordering (security.web.AuthenticationEntryPoint after
  security.crypto.* per alphabetical convention)
- Add HtmxAwareAuthenticationEntryPointConfigurationTest covering
  OAuth2 enabled/disabled paths and @ConditionalOnMissingBean override

Author: devondragon

src/main/java/com/digitalsanctuary/spring/user/security/HtmxAwareAuthenticationEntryPoint.java

@@ -58,9 +58,15 @@ public void commence(HttpServletRequest request, HttpServletResponse response,
             }
 
             response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
-            response.setContentType("application/json");
+            response.setCharacterEncoding("UTF-8");
+            response.setContentType("application/json;charset=UTF-8");
             response.setHeader(HX_REDIRECT_HEADER, loginUrl);
-            String escapedLoginUrl = loginUrl.replace("\\", "\\\\").replace("\"", "\\\"");
+            String escapedLoginUrl = loginUrl
+                    .replace("\\", "\\\\")
+                    .replace("\"", "\\\"")
+                    .replace("\n", "\\n")
+                    .replace("\r", "\\r")
+                    .replace("\t", "\\t");
             response.getWriter().write("{\"error\":\"authentication_required\","
                     + "\"message\":\"Session expired. Please log in.\","
                     + "\"loginUrl\":\"" + escapedLoginUrl + "\"}");

src/main/java/com/digitalsanctuary/spring/user/security/HtmxAwareAuthenticationEntryPointConfiguration.java

@@ -4,6 +4,7 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Primary;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
 import lombok.extern.slf4j.Slf4j;
@@ -40,15 +41,18 @@ public class HtmxAwareAuthenticationEntryPointConfiguration {
      * @return an {@link HtmxAwareAuthenticationEntryPoint} wrapping the appropriate inner entry point
      */
     @Bean
+    @Primary
     @ConditionalOnMissingBean(AuthenticationEntryPoint.class)
     public AuthenticationEntryPoint authenticationEntryPoint() {
         AuthenticationEntryPoint inner;
         if (oauth2Enabled) {
+            // null failureHandler is intentional: OAuth2AuthenticationExceptions without a handler fall through
+            // to the redirect path in CustomOAuth2AuthenticationEntryPoint, which is the desired behavior.
             inner = new CustomOAuth2AuthenticationEntryPoint(null, loginPageURI);
-            log.info("Configuring HtmxAwareAuthenticationEntryPoint wrapping CustomOAuth2AuthenticationEntryPoint");
+            log.debug("Configuring HtmxAwareAuthenticationEntryPoint wrapping CustomOAuth2AuthenticationEntryPoint");
         } else {
             inner = new LoginUrlAuthenticationEntryPoint(loginPageURI);
-            log.info("Configuring HtmxAwareAuthenticationEntryPoint wrapping LoginUrlAuthenticationEntryPoint");
+            log.debug("Configuring HtmxAwareAuthenticationEntryPoint wrapping LoginUrlAuthenticationEntryPoint");
         }
         return new HtmxAwareAuthenticationEntryPoint(inner, loginPageURI);
     }

src/main/java/com/digitalsanctuary/spring/user/security/WebSecurityConfig.java

@@ -22,12 +22,12 @@
 import org.springframework.security.config.ObjectPostProcessor;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.core.session.SessionRegistry;
 import org.springframework.security.core.session.SessionRegistryImpl;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.access.DelegatingMissingAuthorityAccessDeniedHandler;
 import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;

src/test/java/com/digitalsanctuary/spring/user/security/HtmxAwareAuthenticationEntryPointConfigurationTest.java

@@ -0,0 +1,94 @@
+package com.digitalsanctuary.spring.user.security;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Nested;
+import org.junit.jupiter.api.Test;
+import org.springframework.boot.autoconfigure.AutoConfigurations;
+import org.springframework.boot.test.context.runner.ApplicationContextRunner;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
+
+@DisplayName("HtmxAwareAuthenticationEntryPointConfiguration Tests")
+class HtmxAwareAuthenticationEntryPointConfigurationTest {
+
+    // Register as auto-configuration so it is processed after user-defined beans,
+    // which is required for @ConditionalOnMissingBean to evaluate correctly.
+    private final ApplicationContextRunner contextRunner = new ApplicationContextRunner()
+            .withConfiguration(AutoConfigurations.of(HtmxAwareAuthenticationEntryPointConfiguration.class))
+            .withPropertyValues(
+                    "user.security.loginPageURI=/user/login.html"
+            );
+
+    @Nested
+    @DisplayName("Non-OAuth2 Configuration")
+    class NonOAuth2Configuration {
+
+        @Test
+        @DisplayName("Should register HtmxAwareAuthenticationEntryPoint wrapping LoginUrlAuthenticationEntryPoint when OAuth2 disabled")
+        void shouldRegisterHtmxEntryPointWrappingLoginUrlWhenOAuth2Disabled() {
+            contextRunner
+                    .withPropertyValues("spring.security.oauth2.enabled=false")
+                    .run(context -> {
+                        assertThat(context).hasSingleBean(AuthenticationEntryPoint.class);
+                        assertThat(context.getBean(AuthenticationEntryPoint.class))
+                                .isInstanceOf(HtmxAwareAuthenticationEntryPoint.class);
+                    });
+        }
+
+        @Test
+        @DisplayName("Should register HtmxAwareAuthenticationEntryPoint when OAuth2 property absent")
+        void shouldRegisterHtmxEntryPointWhenOAuth2PropertyAbsent() {
+            contextRunner.run(context -> {
+                assertThat(context).hasSingleBean(AuthenticationEntryPoint.class);
+                assertThat(context.getBean(AuthenticationEntryPoint.class))
+                        .isInstanceOf(HtmxAwareAuthenticationEntryPoint.class);
+            });
+        }
+    }
+
+    @Nested
+    @DisplayName("OAuth2 Configuration")
+    class OAuth2Configuration {
+
+        @Test
+        @DisplayName("Should register HtmxAwareAuthenticationEntryPoint when OAuth2 enabled")
+        void shouldRegisterHtmxEntryPointWhenOAuth2Enabled() {
+            contextRunner
+                    .withPropertyValues("spring.security.oauth2.enabled=true")
+                    .run(context -> {
+                        assertThat(context).hasSingleBean(AuthenticationEntryPoint.class);
+                        assertThat(context.getBean(AuthenticationEntryPoint.class))
+                                .isInstanceOf(HtmxAwareAuthenticationEntryPoint.class);
+                    });
+        }
+    }
+
+    @Nested
+    @DisplayName("Consumer Override via @ConditionalOnMissingBean")
+    class ConsumerOverride {
+
+        @Test
+        @DisplayName("Should not register library bean when consumer provides an AuthenticationEntryPoint")
+        void shouldNotRegisterLibraryBeanWhenConsumerProvidesEntryPoint() {
+            contextRunner
+                    .withUserConfiguration(ConsumerEntryPointConfiguration.class)
+                    .run(context -> {
+                        assertThat(context).hasSingleBean(AuthenticationEntryPoint.class);
+                        assertThat(context.getBean(AuthenticationEntryPoint.class))
+                                .isInstanceOf(LoginUrlAuthenticationEntryPoint.class);
+                    });
+        }
+    }
+
+    @Configuration
+    static class ConsumerEntryPointConfiguration {
+        @Bean
+        public AuthenticationEntryPoint consumerEntryPoint() {
+            return new LoginUrlAuthenticationEntryPoint("/custom/login");
+        }
+    }
+}

src/test/java/com/digitalsanctuary/spring/user/security/HtmxAwareAuthenticationEntryPointTest.java

@@ -77,7 +77,7 @@ void shouldReturn401WhenHtmxRequestReceived() throws IOException, ServletExcepti
         }
 
         @Test
-        @DisplayName("Should set JSON content type when HTMX request received")
+        @DisplayName("Should set JSON content type with UTF-8 charset when HTMX request received")
         void shouldSetJsonContentTypeWhenHtmxRequestReceived() throws IOException, ServletException {
             // Given
             AuthenticationException authException = new InsufficientAuthenticationException("Session expired");
@@ -86,7 +86,8 @@ void shouldSetJsonContentTypeWhenHtmxRequestReceived() throws IOException, Servl
             entryPoint.commence(request, response, authException);
 
             // Then
-            verify(response).setContentType("application/json");
+            verify(response).setCharacterEncoding("UTF-8");
+            verify(response).setContentType("application/json;charset=UTF-8");
         }
 
         @Test