ErrorHandling in Spring Security for @PreAuthorize AccessDeniedException returns 500 rather then 401
Based on the discussion of another post (see here) I came to the conclusion that the error handling for @PreAuthorize and authentication uses different concepts. The only way is to use in spring 3.2 the new concept of a generic error handler with @ControllerAdvice and @ExceptionHandler annotation. So you can reuse the error handler class.
Example
@Component@ControllerAdvicepublic class RestAuthenticationEntryPoint implements AuthenticationEntryPoint { @Override public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException ) throws IOException, ServletException { response.setContentType("application/json"); response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); response.getOutputStream().println("{ \"error\": \"" + authException.getMessage() + "\" }"); } @ExceptionHandler(value = { AccessDeniedException.class }) public void commence(HttpServletRequest request, HttpServletResponse response, AccessDeniedException ex ) throws IOException { response.setContentType("application/json"); response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); response.getOutputStream().println("{ \"error\": \"" + ex.getMessage() + "\" }"); }}