With Spring Boot 1.5.6.RELEASE I was able to send HTTP Status code 401 instead of 403 as described in How let spring security response unauthorized(http 401 code) if requesting uri without authentication, by doing this: using the org.springframework.boot.autoconfigure.security.Http401AuthenticationEntryPoint class. I just upgraded to Spring Boot 2.0.0.RELEASE and found there is not such class any more (at least in that package).