What I wanted to say in previous post, is that even if your application has properly defined filter, it may still now work. If you have SimpleMappingExceptionResolver configured (without any mappedHandlers and mappedHandlerClasses),
then it will not rethrow AccessTokenRequiredException
then filter will not catch this exception and retrieve access token.
Correct. If Spring Security cannot catch its own AuthenticationException and AccessDeniedException a lot of features don't work as expected. It's a common mistake in general with Spring Security and not really an OAuth specific concern, I think.