ARTICLE AD BOX
Is this how I am expected to map "authorization server's down" to 503?
@Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .oauth2ResourceServer(oauth2 -> oauth2 .authenticationEntryPoint(authenticationEntryPoint()) // ... ); return http.build(); } @Bean public AuthenticationEntryPoint authenticationEntryPoint() { return (request, response, authException) -> { if (authException instanceof AuthenticationServiceException) { response.sendError( HttpStatus.SERVICE_UNAVAILABLE.value(), authException.getMessage() ); } else { // Preserve default 401 behaviour for other auth failures // (invalid token, expired, etc.) response.sendError( HttpStatus.UNAUTHORIZED.value(), authException.getMessage() ); } }; } org.springframework.security.authentication.AuthenticationServiceException: An error occurred while attempting to decode the Jwt: I/O error on GET request for "http://localhost:8100/oauth2/jwks": Connection refused: getsockoptThat code's Claude's proposal. See, @ControllerAdvice won't work (it really doesn't) since
The exception never reaches the DispatcherServlet. JWT decoding happens inside BearerTokenAuthenticationFilter, which is part of the Security filter chain — it runs before the request gets to Spring MVC.
– Claude Sonnet
Or is there a better way?
I'm not 100% comfortable spreading exception handling logic all over the place. Those details, Dispatcher Servlet reached or not, do not seem like a valid reason to do so.
Spring Boot 4.
