Spring Security can be used to secure a Jersey-based web application in much the same
way as it can be used to secure a Spring MVC-based web application. However, if you want
to use Spring Security’s method-level security with Jersey, you must configure Jersey to
use setStatus(int)
rather sendError(int)
. This prevents Jersey from committing the
response before Spring Security has had an opportunity to report an authentication or
authorization failure to the client.
The jersey.config.server.response.setStatusOverSendError
must be set to true
on the
application’s ResourceConfig
bean, as shown in the following example:
@Component public class JerseyConfig extends ResourceConfig { public JerseyConfig() { register(Endpoint.class); setProperties(Collections.singletonMap( "jersey.config.server.response.setStatusOverSendError", true)); } }