Endpoint returns a 500, instead of 403 status code when the user does not have required permission about spring-security HOT 5 OPEN

Hey Folks,

We're using Spring Boot version 3.3.1 and managing authorization with the @PreAuthorize annotation. Here's our security filter chain bean definition, where we permit all on the /error path. Despite this, exceptions thrown by Spring Security aren't handled correctly.

@Bean
@ConditionalOnProperty(value = "security.enabled", havingValue = "true", matchIfMissing = true)
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    return http.cors(Customizer.withDefaults())
            .csrf(AbstractHttpConfigurer::disable)
            .sessionManagement(sessionManagement -> sessionManagement.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
            .authorizeHttpRequests(authRequest -> authRequest
                    .requestMatchers("/", "/docs/api-docs/**", "/ui/swagger-ui/**", "/actuator/health/**").permitAll()
                    .requestMatchers("/error/**").permitAll()
                    .requestMatchers("/api/**").authenticated()
            )
            .oauth2ResourceServer(resourceServer -> resourceServer.jwt(jwt -> jwt.jwtAuthenticationConverter(new CustomAuthenticationConverter(configProperties.clientId()))))
            .build();
}

When Spring Security returns a 403 status, we receive a 500 status code instead. We can handle this by catching the exception in our codebase, but I think Spring Security should handle it automatically.

from spring-security.

Hi @dyleph, thanks for the report. Are you able to provide a minimal, reproducible sample that we can run on our side? Looks like your application has some customizations that will make it harder for us to reproduce the same behavior.

from spring-security.

Hi, same problem for us

Do you know when it will be fixed and if it will be included in Spring Boot 3.3.1?

from spring-security.

Hi folks, based on my tests I got a proper 403 returned. It would be great if you could provide a minimal sample that we can use to reproduce the problem on our side.

from spring-security.

Hello I have the same problem when using a Custom ApplicationExceptionHandler extending ResponseEntityExceptionHandler. It seams that AccessDeniedException are automatically catched when using this type of handler but not AuthorizationDeniedException. It is possible to add a custom exception handler for AuthorizationDeniedException to bypass this problem but it should not be necessary.

import org.springframework.web.servlet.mvc.method.annotation.ResponseEntityExceptionHandler;

@ControllerAdvice
class ApplicationExceptionHandler extends ResponseEntityExceptionHandler {
  
  @ExceptionHandler(AuthorizationDeniedException.class)
  ResponseEntity<String> handleAuthorizationDeniedException(AuthorizationDeniedException exception) {
    return ResponseEntity.status(HttpStatus.FORBIDDEN).body("Access denied");
  }
}

from spring-security.