Spring 7 webmvc and @PreAuthorize: AuthorizationDeniedException results in 500 response status

[ah1508]

When a @PreAuthorize annotated method is called with insufficient permissions (anonymous call, missing authorities, missing roles), a AuthorizationDeniedException is thrown (like with Spring 6) but it is translated into HTTP 500 response.

With Spring 6 the response status is 401 or 403 with WWW-Authenticate header. Writing a @ExceptionHandler for this exception is possible but error prone.

When endpoints are secured by request matchers in the SecurityFilterChain configuration the status is 401 or 403 with WWW-Authenticate header.

[rstoyanchev]

Thanks for the report.

As a lower level project, Spring Framework has no handling of Spring Security exceptions. So this is most likely the wrong place for the issue. I expect Spring Security has a mechanism for this, see for example this in the reference docs. You can trace what handled the exception through logging or an Exception breakpoint.

I would also establish In what version the breakage first occurs? You can vary Spring Framework and Spring Security independently to narrow down which leads to the difference.

[ah1508]

Indeed, the status and header are properly set if I add <spring-security.version>6.5.2</spring-security.version> property. I will investigate and submit the issue on the spring-security project.