problem-spring-web: Throwing AccessDeniedException creates problem with different status in version 0.23.0 vs 0.24.0

Version 0.23.0 and 0.24.0 returns different status for AccessDeniedException

Description

When AccessDeniedException is thrown in version 0.23.0, I get the following response:

{"title":"Forbidden","status":403,"detail":"Access Denied: Failed"}

When problem-spring-web is updated to version 0.24.0, the response I get is:

{"title":"Internal Server Error","status":500,"detail":"Access Denied: Failed"}

Expected Behavior

The expected response is

{"title":"Forbidden","status":403,"detail":"Access Denied: Failed"}

Actual Behavior

Actual response is

{"title":"Internal Server Error","status":500,"detail":"Access Denied: Failed"}

Steps to Reproduce

  1. Spring Boot 2.1.5 application with spring-boot-starter-web and spring-boot-starter-security and problem-spring-web (mvc) 0.24.0
  2. RestController containing
    @GetMapping("/fail")
    public String fail()
    {
        throw new AccessDeniedException("Access Denied: Failed");
    }

    @PreAuthorize("denyAll()")
    @GetMapping("/fail2")
    public String fail2()
    {
        return "Should not reach this part";
    }
  1. Access the endpoint

Context

Just sticking to version 0.23.0 for now

Your Environment

  • Problem-Spring-Web Version used: 0.24.0
  • Spring Boot 2.1.5

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 17

Most upvoted comments

If I have two ControllerAdvice such as

@ControllerAdvice
public class ExceptionHandler implements ProblemHandling
{
}

and

@ControllerAdvice
public class SecurityExceptionHandler implements SecurityAdviceTrait
{
}

then the Internal Error result is generated but when I only have one ControllerAdvice such as

@ControllerAdvice
public class ExceptionHandler implements ProblemHandling, SecurityAdviceTrait
{
}

I get the Forbidden result.