Customizing Exception Responses in Spring Security OAuth2
This article explains how to customize authentication and resource server exception messages in Spring Security OAuth2, covering the creation of custom translators, entry points, and filters, with step‑by‑step code examples and testing procedures for handling username/password errors, grant type errors, client credential errors, token expiration, and insufficient permissions.
The author introduces the fourth article of the "Spring Security Advanced" series, focusing on customizing exception information for real‑world Spring Security projects.
First, the article revisits the previously built authentication service ( oauth2-auth-server-jwt) and resource service ( oauth2-auth-resource-jwt), showing their architecture diagrams.
It then lists three common authentication‑service errors (wrong username/password, unsupported grant type, and incorrect client ID/secret) and displays the default error responses returned by Spring Security.
To replace these unfriendly messages, the author proposes two solution groups: (1) username/password and grant‑type errors, and (2) client ID/secret errors.
1. Username/Password and Grant‑Type Errors
The solution includes:
Customizing the error message and HTTP status code.
Implementing a custom WebResponseExceptionTranslator by overriding the translate(Exception e) method.
Registering the custom translator in AuthorizationServerConfig.
Code example for the translator method:
ResponseEntity<T> translate(Exception e) throws ExceptionConfiguration screenshot shows the single‑line bean registration.
2. Client ID/Secret Errors
The approach mirrors the first group but uses a custom AuthenticationEntryPoint and modifies ClientCredentialsTokenEndpointFilter to invoke the new entry point.
Key steps:
Define OAuthServerAuthenticationEntryPoint implementing AuthenticationEntryPoint.
Extend ClientCredentialsTokenEndpointFilter, injecting the custom entry point and overriding getAuthenticationManager() and afterPropertiesSet().
Add the filter to AuthorizationServerSecurityConfigurer before BasicAuthenticationFilter.
Important note: enabling allowFormAuthenticationForClients() would create the default filter and override the custom one.
Resource Server Exception Handling
After obtaining a token, the resource server may encounter two errors: token expiration/invalidity and insufficient permissions.
For token expiration, a custom AuthenticationEntryPoint is defined and registered in the security configuration.
For insufficient permissions, a custom AccessDeniedHandler is created and wired similarly.
Testing screenshots demonstrate the customized JSON responses for each scenario.
Throughout the article, the author repeatedly reminds readers that the full source code is available on GitHub and encourages following the public account "码猿技术专栏" for additional resources.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Code Ape Tech Column
Former Ant Group P8 engineer, pure technologist, sharing full‑stack Java, job interview and career advice through a column. Site: java-family.cn
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.