Unable to catch MalformedJwtException in Spring Boot with custom exception handler

I'm using Spring Boot 3.0.3, Java 17 and io.jsonwebtoken v0.11.5. I've implemented Spring Security and it works great. One thing that I would like to customize is a JSON response when there's no jwt token passed or when there's wrong jwt token passed, I'm just getting an empty JSON response with Status 403 forbidden. I'd like to add a text to that message.

So I am trying to catch a MalformedJwtException in my custom exception handler, but it's not being caught.

I have a JwtAuthenticationFilter class which extracts the JWT token from the request header and validates it. If the token is not valid, it throws a MalformedJwtException. I tried using try-catch statement and throwing my custom exception but it doesn't get caught either.

Here is the relevant code from JwtAuthenticationFilter (method doFilterInternal):

try {
  jwt = authHeader.substring(authHeaderStartsWith.length());
  userEmail = jwtService.extractUsername(jwt);
} catch (Exception ex) {
  throw new CustomJWTException("To access this resource, you must provide a valid security token", HttpStatus.UNAUTHORIZED);
}

And here is my custom exception handler:

@ControllerAdvice
public class GlobalExceptionHandler {
  @ExceptionHandler(value = {CustomException.class})
  public ResponseEntity<ResponseWrapper> handleCustomException(CustomException ex) {
    var response = new ResponseWrapper(ex.getHttpStatus(), ex.getMessage());
   return ResponseEntity.status(ex.getHttpStatus()).body(response);
  }

  @ExceptionHandler(value = {CustomJWTException.class})
  public ResponseEntity<ResponseWrapper> handleCustomJWTException(CustomJWTException ex) {
    var message = ex.getMessage();

    if (message == null || message.isEmpty()) {
      message = "To access this resource, you must provide a valid security token";
    }

    var response = new ResponseWrapper(HttpStatus.UNAUTHORIZED, message);
    return ResponseEntity.status(HttpStatus.UNAUTHORIZED).body(response);
  }

  @ExceptionHandler(value = {MalformedJwtException.class})
  public ResponseEntity<ResponseWrapper> handleMalformedJwtException(MalformedJwtException ex) {
    var message = ex.getMessage();

    if (message == null || message.isEmpty()) {
      message = "To access this resource, you must provide a valid security token";
    }

    var response = new ResponseWrapper(HttpStatus.UNAUTHORIZED, message);
    return ResponseEntity.status(HttpStatus.UNAUTHORIZED).body(response);
  }
}

I know for sure that the code in the doFilterInternal method gets executed and works perfectly. Also my CustomJWTException is also getting thrown (even shown in the Debug console) but for some reason it doesn't end up in my exception handler.\

I also know for a fact that my exception handler works because I'm throwing CustomException is some other service and it works great (the exceptioin handler catches it).

I've tried tweaking @Order(Ordered.HIGHEST_PRECEDENCE) but nothing changed.

How can I achieve the desired result?

Basically it is because spring-security and spring-mvc has different mechanism to handle the exception.

Spring Security inserts many Filters to validate the HTTP request before the request really hit and processed by the spring-mvc Servlet (i.e DispatcherServlet) (see this for details)

And @ExceptionHandler is exception handling mechanism of spring-mvc and so it will only work if exception occurs during spring-mvc process the request.

Now your request already fail and return in the JwtAuthenticationFilter before it has chance to be processed by spring-mvc and that 's why @ExceptionHandler does not work.

How to fix it depends on your JwtAuthenticationFilter implementation . I usually delegate to an AuthenticationEntryPoint to process the exception if the authentication fail. In AuthenticationEntryPoint, use Jackson to prepare the error response JSON and return.