"Why is my API returning HTML error pages?!" I stared at my console in disbelief. My React frontend was trying to parse JSON, but Spring Security was happily serving up a Whitelabel Error Page for failed authentication attempts. This took me 3 hours to fix. Let me show you how to make Spring Security play nice with modern frontends. 🎨✨
Ever wondered why sometimes your Spring Boot exceptions are caught by @RestControllerAdvice and other times they're not? Or why your custom AccessDeniedHandler returns 403 before your controller even executes? I spent hours debugging this mystery until I understood Spring Boot's two-tier exception handling architecture. Let me save you the confusion. 🎯
I'll never forget the day I accidentally exposed user passwords in my API responses. I returned the entire User entity from a GET endpoint, thinking "Spring Boot will handle it!" Spoiler alert: It returned EVERYTHING—including hashed passwords, internal IDs, and timestamps. My code reviewer nearly had a heart attack. 😱 That's when I learned about DTOs. Let me save you from this nightmare.
"What does ResponseEntity<UnlockResponse> mean? Why can I use <UnlockResponse> here but <LoginResponse> somewhere else?" ResponseEntity is like a delivery box - it's a generic container that can hold any type of content. The <T> is a placeholder that you fill with your specific data type. Let's understand how this "magic" works and why it's incredibly powerful.