diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/login/LoginSecurityConfiguration.java b/server/src/main/java/org/cloudfoundry/identity/uaa/login/LoginSecurityConfiguration.java
index 0cecfd21249..21fb6ea3fef 100644
--- a/server/src/main/java/org/cloudfoundry/identity/uaa/login/LoginSecurityConfiguration.java
+++ b/server/src/main/java/org/cloudfoundry/identity/uaa/login/LoginSecurityConfiguration.java
@@ -1,7 +1,5 @@
 package org.cloudfoundry.identity.uaa.login;
 
-import java.io.IOException;
-
 import org.cloudfoundry.identity.uaa.authentication.PasswordChangeUiRequiredFilter;
 import org.cloudfoundry.identity.uaa.authentication.ReAuthenticationRequiredFilter;
 import org.cloudfoundry.identity.uaa.authentication.UaaAuthenticationDetailsSource;
@@ -11,7 +9,6 @@
 import org.cloudfoundry.identity.uaa.web.FilterChainOrder;
 import org.cloudfoundry.identity.uaa.web.UaaFilterChain;
 import org.cloudfoundry.identity.uaa.web.UaaSavedRequestCache;
-
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -20,11 +17,18 @@
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configurers.CsrfConfigurer;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.authentication.logout.LogoutFilter;
+import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
 import org.springframework.security.web.context.SecurityContextPersistenceFilter;
 import org.springframework.security.web.csrf.CsrfFilter;
 import org.springframework.security.web.session.DisableEncodeUrlFilter;
+
+import java.io.IOException;
+
 import static org.cloudfoundry.identity.uaa.web.AuthorizationManagersUtils.anonymousOrFullyAuthenticated;
 
 @Configuration
@@ -36,6 +40,105 @@ ResourcePropertySource messagePropertiesSource() throws IOException {
         return new ResourcePropertySource("messages.properties");
     }
 
+    @Bean
+    @Order(FilterChainOrder.FORGOT_PASSWORD)
+    UaaFilterChain forgotPassword(HttpSecurity http) throws Exception {
+        var originalChain = http
+                .securityMatcher(
+                        "/forgot_password",
+                        "/forgot_password.do"
+                )
+                .authorizeHttpRequests(auth -> auth.anyRequest().permitAll())
+                .csrf(CsrfConfigurer::disable)
+                .exceptionHandling(exception -> {
+                    exception.authenticationEntryPoint(new CsrfAwareEntryPointAndDeniedHandler("/invalid_request", "/login?error=invalid_login_request"));
+                })
+                .build();
+        return new UaaFilterChain(originalChain);
+    }
+
+    @Bean
+    @Order(FilterChainOrder.DELETE_SAVED_ACCOUNT)
+    UaaFilterChain deleteSavedAccount(
+            HttpSecurity http,
+            @Qualifier("clientAuthenticationManager") AuthenticationManager authenticationManager,
+            @Qualifier("basicAuthenticationEntryPoint") AuthenticationEntryPoint authenticationEntryPoint
+    ) throws Exception {
+        var originalChain = http
+                .securityMatcher("/delete_saved_account")
+                .authorizeHttpRequests(auth -> auth.anyRequest().permitAll())
+                .authenticationManager(authenticationManager)
+                .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+                .exceptionHandling(exception -> {
+                    exception.authenticationEntryPoint(authenticationEntryPoint);
+                })
+                .build();
+        return new UaaFilterChain(originalChain);
+    }
+
+    @Bean
+    @Order(FilterChainOrder.VERIFY_EMAIL)
+    UaaFilterChain verifyEmail(HttpSecurity http) throws Exception {
+        var originalChain = http
+                .securityMatcher("/verify_email")
+                .authorizeHttpRequests(auth -> auth.anyRequest().permitAll())
+                .csrf(CsrfConfigurer::disable)
+                .exceptionHandling(exception -> {
+                    exception.authenticationEntryPoint(new CsrfAwareEntryPointAndDeniedHandler("/invalid_request", "/login?error=invalid_login_request"));
+                })
+                .build();
+        return new UaaFilterChain(originalChain);
+    }
+
+    @Bean
+    @Order(FilterChainOrder.VERIFY_USER)
+    UaaFilterChain verifyUser(HttpSecurity http) throws Exception {
+        var originalChain = http
+                .securityMatcher("/verify_user")
+                .authorizeHttpRequests(auth -> auth.anyRequest().permitAll())
+                .csrf(CsrfConfigurer::disable)
+                .exceptionHandling(exception -> {
+                    exception.authenticationEntryPoint(new CsrfAwareEntryPointAndDeniedHandler("/invalid_request", "/login?error=invalid_login_request"));
+                })
+                .build();
+        return new UaaFilterChain(originalChain);
+    }
+
+    @Bean
+    @Order(FilterChainOrder.INVITATIONS_ACCEPT)
+    UaaFilterChain acceptInvitation(HttpSecurity http) throws Exception {
+        var originalChain = http
+                .securityMatcher("/invitations/accept")
+                .authorizeHttpRequests(auth -> auth.anyRequest().permitAll())
+                .csrf(CsrfConfigurer::disable)
+                .exceptionHandling(exception -> {
+                    exception.authenticationEntryPoint(new CsrfAwareEntryPointAndDeniedHandler("/invalid_request", "/login?error=invalid_login_request"));
+                })
+                .build();
+        return new UaaFilterChain(originalChain);
+    }
+
+    /**
+     * Handle login callbacks from SAML upstream providers.
+     */
+    @Bean
+    @Order(FilterChainOrder.SAML_IDP_SSO)
+    UaaFilterChain samlSsoCallback(
+            HttpSecurity http,
+            PasswordChangeUiRequiredFilter passwordChangeUiRequiredFilter
+    ) throws Exception {
+        var originalChain = http
+                .securityMatcher("/saml/idp/SSO/**")
+                .authorizeHttpRequests(auth -> auth.anyRequest().fullyAuthenticated())
+                .addFilterBefore(passwordChangeUiRequiredFilter, BasicAuthenticationFilter.class)
+                .csrf(CsrfConfigurer::disable)
+                .exceptionHandling(exception -> {
+                    exception.authenticationEntryPoint(new CsrfAwareEntryPointAndDeniedHandler("/invalid_request", "/login?error=invalid_login_request"));
+                })
+                .build();
+        return new UaaFilterChain(originalChain);
+    }
+
     /**
      * Handle the UI-related components, such as the login page, the home page, etc.
      * <p>
diff --git a/server/src/main/resources/spring/login-ui.xml b/server/src/main/resources/spring/login-ui.xml
index c8703c42872..7fca4067bf3 100644
--- a/server/src/main/resources/spring/login-ui.xml
+++ b/server/src/main/resources/spring/login-ui.xml
@@ -111,17 +111,6 @@
         <access-denied-handler ref="loginEntryPoint"/>
     </http>
 
-    <http name="forgotPasswordSecurity"
-                    pattern="/forgot_password**"
-                    disable-url-rewriting="true"
-                    entry-point-ref="loginEntryPoint"
-                    use-expressions="false"
-                    xmlns="http://www.springframework.org/schema/security">
-        <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
-        <csrf disabled="true"/>
-        <access-denied-handler ref="loginEntryPoint"/>
-    </http>
-
     <bean id="uiAuthorizeRequestMatcher" class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
         <constructor-arg value="/oauth/authorize**"/>
     </bean>
@@ -146,47 +135,6 @@
         <property name="requestMatcher" ref="uiAuthorizeRequestMatcher"/>
     </bean>
 
-    <http name="deleteSavedAccountSecurity" pattern="/delete_saved_account**" create-session="stateless"
-                    entry-point-ref="basicAuthenticationEntryPoint"
-                    authentication-manager-ref="clientAuthenticationManager" use-expressions="false"
-                    xmlns="http://www.springframework.org/schema/security">
-        <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
-    </http>
-
-    <http name="verifyEmailSecurity" pattern="/verify_email" disable-url-rewriting="true"
-                    xmlns="http://www.springframework.org/schema/security"
-                    entry-point-ref="loginEntryPoint" use-expressions="false">
-        <intercept-url pattern="/verify_email" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
-        <anonymous enabled="true"/>
-        <csrf disabled="true"/>
-    </http>
-
-    <http name="verifyUserSecurity" pattern="/verify_user" disable-url-rewriting="true"
-                    xmlns="http://www.springframework.org/schema/security"
-                    entry-point-ref="loginEntryPoint" use-expressions="false">
-        <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
-        <anonymous enabled="true"/>
-        <csrf disabled="true"/>
-    </http>
-
-    <http name="acceptInvitationSecurity" pattern="/invitations/accept" disable-url-rewriting="true"
-                    xmlns="http://www.springframework.org/schema/security"
-                    entry-point-ref="loginEntryPoint" use-expressions="false">
-        <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
-        <anonymous enabled="true"/>
-        <csrf disabled="true"/>
-    </http>
-
-    <http name="idpSecurity"
-                    use-expressions="true"
-                    pattern="/saml/idp/SSO/**"
-                    entry-point-ref="loginEntryPoint"
-                    xmlns="http://www.springframework.org/schema/security">
-        <intercept-url pattern="/**" access="isFullyAuthenticated()"/>
-        <custom-filter ref="passwordChangeUiRequiredFilter" after="BASIC_AUTH_FILTER"/>
-        <csrf disabled="true"/>
-    </http>
-
     <bean id="errorMessageAuthenticationFailureHandler"
                     class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
         <property name="exceptionMappings">