Boot's /error page not accessible in certain scenarios after updating to 5.6.2

[jkuipers]

After updating from 5.6.1 to 5.6.2 (by updating from Boot 2.6.3 to 2.6.4), the Boot /error page isn't accessible anymore in certain cases.
Here's a sample app with an integration test that showcases the issue:
spring-boot-errorpage-security-issue.zip

I reported this as a Boot issue first (as I wasn't sure what the root problem is). Andy Wilkinson had a look and concluded that this is related to Spring Security rather than the way that Boot sets up its /error page.
There are workarounds, like explicitly permitting access to /error or using authorizeRequests instead of authorizeHttpRequests, but without additional info I do expect this to be a regression bug.

[jkuipers]

Hey, I was wondering if you could at least confirm that this is considered a bug. Also, not sure if you saw Andy's comment in the Boot-issue, but when you use authorizeRequests instead of authorizeHttpRequests the behavior is as expected.

[marcusdacoregio]

Hi @jkuipers, this is probably related to #10950.

You can see in the debug logs the following: Abstaining since did not find matching RequestMatcher, and there was a bug with the AuthorizationManagerWebInvocationPrivilegeEvaluator where it denied access if there was no decision, also known as AuthorizationDecision == null.

When using authorizeRequests() it works because it uses the DefaultWebInvocationPrivilegeEvaluator.

Can you please try the version 5.6.3-SNAPSHOT of Spring Security and confirm if it works?

[jkuipers]

I can confirm that the integration tests passes with 5.6.3-SNAPSHOT. Your explanation makes sense, so with that I will close this issue.

[marcusdacoregio]

Thanks for verifying @jkuipers. Have a great weekend!