Spring Security can be used to secure a Jersey-based web application in much the same
way as it can be used to secure a Spring MVC-based web application. However, if you want
to use Spring Security’s method-level security with Jersey, you must configure Jersey to
use setStatus(int) rather sendError(int). This prevents Jersey from committing the
response before Spring Security has had an opportunity to report an authentication or
authorization failure to the client.
The jersey.config.server.response.setStatusOverSendError property must be set to true
on the application’s ResourceConfig bean, as shown in the following example:
@Component public class JerseyConfig extends ResourceConfig { public JerseyConfig() { register(Endpoint.class); setProperties(Collections.singletonMap( "jersey.config.server.response.setStatusOverSendError", true)); } }