When accessing the restricted delorean page and requesting JSON, the response status is 200 even though an authentication failure was raised (not visible as the security method does nothing at the moment).
Perhaps the security method should specify a response status like some of the others in the Error class, for example:

public ErrorResponse security(Exception e) {
        return new JsonErrorResponse(HttpServletResponse.SC_UNAUTHORIZED).message("error", e.getMessage());
}

To test:

curl --cookie newcookies.txt -H "Accept: application/json" "http://localhost:8080/aerogear-controller-demo/delorean" -v

Notice that the response code is 200.