Rationale

Currently, one can configure multiple login callbacks by using CompositeCallback. With a fairly complex configuration, this allows to configure different callbacks based on the requested urls (typically /.magnolia will be protected by the regular Magnolia login form, while a protected but public section of a website will redirect a login form from the website itself).

...

I'm also assuming that this would make it simpler to have a multi-site aware callback.

Additionally, we're introducing an extra filter to "catch" the 401/403 status as well as AccessDeniedException}}s; existing subclasses of {{BaseSecurityFilter will not handle the callbacks anymore, but merely set an http status. The new filter will have callbacks configured and handle them.