Spring Security - Token based API auth & user/password authentication

I believe the error that you mention is just because the AbstractAuthenticationProcessingFilter base class that you are using requires an AuthenticationManager. If you aren't going to use it you can set it to a no-op, or just implement Filter directly. If your Filter can authenticate the request and sets up the SecurityContext then usually the downstream processing will be skipped (it depends on the implementation of the downstream filters, but I don't see anything weird in your app, so they probably all behave that way).

If I were you I might consider putting the API endpoints in a completely separate filter chain (another WebSecurityConfigurerAdapter bean). But that only makes things easier to read, not necessarily crucial.

You might find (as suggested in comments) that you end up reinventing the wheel, but no harm in trying, and you will probably learn more about Spring and Security in the process.

ADDITION: the github approach is quite interesting: users just use the token as a password in basic auth, and the server doesn't need a custom filter (BasicAuthenticationFilter is fine).

Partial ordering of function templates - ambiguous call

What is a good workflow for submodule forks

What is the correct usage of "runAllManagedModulesForAllRequests" in ASP.NET MVC2/3?

Serialize a Double to 2 decimal places using Jackson

Recommendations for a docking library for Delphi / C++Builder?

Advice on multiple release lines and git-flow, for git non-gurus

Prove a variant of the Cauchy-Schwarz inequality

free group factor- do the basis of generators strongly converge to each other?

Divisibility of $x^2+y^2$ by prime $p$ [duplicate]

Change the direction flow of CSS columns

How to show that $(Re\lambda_1,\dotsb,Re\lambda_n)^T$ is majorized by $(\lambda_1(H),\dotsb,\lambda_n(H))^T$?

Show $\sin(a+b)+\sin(a+c)+\sin(b+c)-\sin a-\sin b-\sin c-\sin(a+b+c)=8\sin\frac{a}{2}\sin\frac{b}{2} \sin \frac{c}{2} \cos \frac{a+b+c}{2}$