Propagate AccessDeniedException Only to ExceptionTranslationFilter

jzheaux · jzheaux · commit 3396890d8bd8 · 2025-08-18T17:04:19.000-06:00
Closes gh-17761
diff --git a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/AuthorizationProxyWebConfiguration.java b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/AuthorizationProxyWebConfiguration.java
@@ -102,9 +102,7 @@ public ModelAndView resolveException(HttpServletRequest request, HttpServletResp
 			Throwable accessDeniedException = this.throwableAnalyzer
 				.getFirstThrowableOfType(AccessDeniedException.class, causeChain);
 			if (accessDeniedException != null) {
-				return new ModelAndView((model, req, res) -> {
-					throw ex;
-				});
+				throw (AccessDeniedException) accessDeniedException;
 			}
 			return null;
 		}
diff --git a/config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java b/config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java
@@ -33,6 +33,7 @@
 import io.micrometer.observation.ObservationRegistry;
 import io.micrometer.observation.ObservationTextPublisher;
 import jakarta.annotation.security.DenyAll;
+import jakarta.servlet.RequestDispatcher;
 import org.aopalliance.aop.Advice;
 import org.aopalliance.intercept.MethodInterceptor;
 import org.aopalliance.intercept.MethodInvocation;
@@ -138,6 +139,7 @@
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
 import static org.assertj.core.api.Assertions.assertThatNoException;
+import static org.hamcrest.Matchers.nullValue;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.atLeastOnce;
 import static org.mockito.Mockito.clearInvocations;
@@ -149,6 +151,7 @@
 import static org.mockito.Mockito.verifyNoInteractions;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.user;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.request;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
 /**
@@ -1279,6 +1282,19 @@ void getWhenPostAuthorizeAuthenticationNameNotMatchThenRespondsWithForbidden() t
 		this.mvc.perform(requestWithUser).andExpect(status().isForbidden());
 	}
 
+	// gh-17761
+	@Test
+	void getWhenPostAuthorizeAuthenticationNameNotMatchThenNoExceptionExposedInRequest() throws Exception {
+		this.spring.register(WebMvcMethodSecurityConfig.class, BasicController.class).autowire();
+		// @formatter:off
+		MockHttpServletRequestBuilder requestWithUser = get("/authorized-person")
+				.param("name", "john")
+				.with(user("rob"));
+		// @formatter:on
+		this.mvc.perform(requestWithUser)
+			.andExpect(request().attribute(RequestDispatcher.ERROR_EXCEPTION, nullValue()));
+	}
+
 	@Test
 	void getWhenPostAuthorizeWithinServiceAuthenticationNameMatchesThenRespondsWithOk() throws Exception {
 		this.spring.register(WebMvcMethodSecurityConfig.class, BasicController.class, BasicService.class).autowire();

Original file line number	Diff line number	Diff line change
`@@ -102,9 +102,7 @@ public ModelAndView resolveException(HttpServletRequest request, HttpServletResp`
`102`	`102`	`Throwable accessDeniedException = this.throwableAnalyzer`
`103`	`103`	`.getFirstThrowableOfType(AccessDeniedException.class, causeChain);`
`104`	`104`	`if (accessDeniedException != null) {`
`105`		`- return new ModelAndView((model, req, res) -> {`
`106`		`- throw ex;`
`107`		`- });`
	`105`	`+ throw (AccessDeniedException) accessDeniedException;`
`108`	`106`	`}`
`109`	`107`	`return null;`
`110`	`108`	`}`