From 3396890d8bd88bb3b3c8dbf1e5a7e1ef12d2f029 Mon Sep 17 00:00:00 2001 From: Josh Cummings <3627351+jzheaux@users.noreply.github.com> Date: Mon, 18 Aug 2025 17:04:19 -0600 Subject: [PATCH] Propagate AccessDeniedException Only to ExceptionTranslationFilter Closes gh-17761 --- .../AuthorizationProxyWebConfiguration.java | 4 +--- .../PrePostMethodSecurityConfigurationTests.java | 16 ++++++++++++++++ 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/AuthorizationProxyWebConfiguration.java b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/AuthorizationProxyWebConfiguration.java index a464e68082..21d23ad4f0 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/AuthorizationProxyWebConfiguration.java +++ b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/AuthorizationProxyWebConfiguration.java @@ -102,9 +102,7 @@ class AuthorizationProxyWebConfiguration implements WebMvcConfigurer { Throwable accessDeniedException = this.throwableAnalyzer .getFirstThrowableOfType(AccessDeniedException.class, causeChain); if (accessDeniedException != null) { - return new ModelAndView((model, req, res) -> { - throw ex; - }); + throw (AccessDeniedException) accessDeniedException; } return null; } diff --git a/config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java b/config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java index baad6eabea..b61d495ec2 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java @@ -33,6 +33,7 @@ import io.micrometer.observation.ObservationHandler; import io.micrometer.observation.ObservationRegistry; import io.micrometer.observation.ObservationTextPublisher; import jakarta.annotation.security.DenyAll; +import jakarta.servlet.RequestDispatcher; import org.aopalliance.aop.Advice; import org.aopalliance.intercept.MethodInterceptor; import org.aopalliance.intercept.MethodInvocation; @@ -138,6 +139,7 @@ import org.springframework.web.servlet.config.annotation.EnableWebMvc; import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThatExceptionOfType; import static org.assertj.core.api.Assertions.assertThatNoException; +import static org.hamcrest.Matchers.nullValue; import static org.mockito.ArgumentMatchers.any; import static org.mockito.Mockito.atLeastOnce; import static org.mockito.Mockito.clearInvocations; @@ -149,6 +151,7 @@ import static org.mockito.Mockito.verify; import static org.mockito.Mockito.verifyNoInteractions; import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.user; import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.request; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; /** @@ -1279,6 +1282,19 @@ public class PrePostMethodSecurityConfigurationTests { this.mvc.perform(requestWithUser).andExpect(status().isForbidden()); } + // gh-17761 + @Test + void getWhenPostAuthorizeAuthenticationNameNotMatchThenNoExceptionExposedInRequest() throws Exception { + this.spring.register(WebMvcMethodSecurityConfig.class, BasicController.class).autowire(); + // @formatter:off + MockHttpServletRequestBuilder requestWithUser = get("/authorized-person") + .param("name", "john") + .with(user("rob")); + // @formatter:on + this.mvc.perform(requestWithUser) + .andExpect(request().attribute(RequestDispatcher.ERROR_EXCEPTION, nullValue())); + } + @Test void getWhenPostAuthorizeWithinServiceAuthenticationNameMatchesThenRespondsWithOk() throws Exception { this.spring.register(WebMvcMethodSecurityConfig.class, BasicController.class, BasicService.class).autowire();