Right now UsernamePasswordJsonAuthenticationListener defaults to using DefaultAuthenticationFailureHandler which means that a redirect is made rather than returning a 4xx error. I guess it makes sense to have the ability to define a custom failure handler but there should be a way to not have a redirect.

I looked into DefaultAuthenticationFailureHandler and I do not see a clean way to get this behavior, maybe we should add a throw_exception option to make it possible to simply re-throw the AuthenticationException so that it can be handled appropriately elsewhere or if there should be an option return_error_reponse which accepts an HTTP status code as a value that would then be used in the response.