Search code examples

Return custom Spring security message from Rest API

I want to create custom error message for Forbidden error. I tried this:

Spring Security Configuration:

@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

  private JwtTokenProvider jwtTokenProvider;

  protected void configure(HttpSecurity http) throws Exception {

    // Disable CSRF (cross site request forgery)

    // No session will be created or used by spring security

    // Entry points
        // Disallow everything else..

    // If a user try to access a resource without having enough permissions

    // Apply JWT
    http.apply(new JwtTokenFilterConfigurer(jwtTokenProvider));

    // Optional, if you want to test the API from a browser
    // http.httpBasic();

  public void configure(WebSecurity web) throws Exception {
    // Allow swagger to be accessed without authentication

        // Un-secure H2 Database (for testing purposes, H2 console shouldn't be unprotected in production)

  public PasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder(12);

//  @Override
//  @Bean
//  public AuthenticationManager authenticationManagerBean() throws Exception {
//    return super.authenticationManagerBean();
//  }

  public AccessDeniedHandler accessDeniedHandler() {
    return new CustomAccessDeniedHandler();


Custom handler:

public class CustomAccessDeniedHandler implements AccessDeniedHandler {

    public static final Logger LOG = LoggerFactory.getLogger(CustomAccessDeniedHandler.class);

    public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException exc) throws IOException, ServletException {

        String jsonPayload = "{\"messffffffage\" : \"%s\", \"timestamp\" : \"%s\" }";
        response.getOutputStream().println(String.format(jsonPayload, exc.getMessage(), Calendar.getInstance().getTime()));

But I get the default error message:

    "timestamp": "2020-06-09T21:23:32.528+00:00",
    "status": 403,
    "error": "Forbidden",
    "message": "",
    "path": "/engine/users/request"

Do you know how I can implement the handler proprly?


  • Just add AuthenticationEntryPoint

    public class JwtAuthenticationEntryPoint implements AuthenticationEntryPoint {
        public void commence(HttpServletRequest request, HttpServletResponse response,
                             AuthenticationException authException) throws IOException {
            response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized");

    and configure it in configuration class

        private JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint;
        protected void configure(HttpSecurity httpSecurity) throws Exception {
            httpSecurity.addFilterBefore(requestFilter, UsernamePasswordAuthenticationFilter.class);

    you can write custom message in JwtAuthenticationEntryPoint (name is user defined) class which implements AuthenticationEntryPoint

    just add your custom message in the response.sendError(...) method.