解决方案就是不使用sendError()并提供状态代码并提供自定义的异常序列化:

Solution was simply to not use sendError() and to provide a status code and to provide a custom exception serialization:

@Service
public class AjaxAuthenticationFailureHandler
        extends SimpleUrlAuthenticationFailureHandler {

    @Autowired
    private ObjectMapper objectMapper;

    @Override
    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
            AuthenticationException exception) throws IOException, ServletException {
        response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
        response.getWriter().write(objectMapper.writeValueAsString(exception));
        response.getWriter().flush();
    }


}