DelegatingMissingAuthorityAccessDeniedHandler only sets a single missing authority while DefaultLoginPageGeneratingFilter will allow for more than one authority to be missing. One could argue that this gives the default login page flexibility, but I'd argue that this (if anything) backwards. The default login page is just that a default and typically overridden. We are not leveraging this UI feature and so it should not be implemented. On the contrary DelegatingMissingAuthorityAccessDeniedHandler is intended to be production use and it only ever sets a single missing authority meaning that a custom UI could not leverage this functionality with build in Spring Security code (they'd need a custom AuthorizationDeniedHandler or similar).