Problem

When the inbound security policy in API Manager fails, the API Manager returns a 403 Authentication Failed error. How do you make the API Manager return a custom error, instead?

Resolution

The API Manager follows the following flow diagram:

As this implies, you can only return a custom error from the Default Routing policy. One method of doing so is to return true from the Custom Security Policy, but to also set a flag like security.policy.failed, then check for the presence of that flag in the Default Routing policy and return the custom error message from there based on the flag.

Note: This flow was changed in 7.6.2 and later versions to allow for custom fault handling in API Manager. For more information, refer to the Configure API Manager custom policies section in the relevant version's documentation.