2 年之前 · c3563df25a
--- a/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java
@@ -56,7 +56,9 @@ import org.springframework.security.web.access.expression.DefaultWebSecurityExpr
 
															 import org.springframework.security.web.access.intercept.AuthorizationFilter;
														
 
															 import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
														
 
															 import org.springframework.security.web.debug.DebugFilter;
														
 
															+import org.springframework.security.web.firewall.CompositeRequestRejectedHandler;
														
 
															 import org.springframework.security.web.firewall.HttpFirewall;
														
 
															+import org.springframework.security.web.firewall.HttpStatusRequestRejectedHandler;
														
 
															 import org.springframework.security.web.firewall.ObservationMarkingRequestRejectedHandler;
														
 
															 import org.springframework.security.web.firewall.RequestRejectedHandler;
														
 
															 import org.springframework.security.web.firewall.StrictHttpFirewall;
														
@@ -309,8 +311,10 @@ public final class WebSecurity extends AbstractConfiguredSecurityBuilder<Filter,
 
															 			filterChainProxy.setRequestRejectedHandler(this.requestRejectedHandler);
														
 
															 		}
														
 
															 		else if (!this.observationRegistry.isNoop()) {
														
 
															-			filterChainProxy
														
 
															-					.setRequestRejectedHandler(new ObservationMarkingRequestRejectedHandler(this.observationRegistry));
														
 
															+			CompositeRequestRejectedHandler requestRejectedHandler = new CompositeRequestRejectedHandler(
														
 
															+					new ObservationMarkingRequestRejectedHandler(this.observationRegistry),
														
 
															+					new HttpStatusRequestRejectedHandler());
														
 
															+			filterChainProxy.setRequestRejectedHandler(requestRejectedHandler);
														
 
															 		}
														
 
															 		filterChainProxy.setFilterChainDecorator(getFilterChainDecorator());
														
 
															 		filterChainProxy.afterPropertiesSet();
														
--- a/config/src/test/java/org/springframework/security/config/annotation/web/builders/WebSecurityTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/builders/WebSecurityTests.java
@@ -122,6 +122,16 @@ public class WebSecurityTests {
 
															 		assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_BAD_REQUEST);
														
 
															 	}
														
 
															+	// gh-12548
														
 
															+	@Test
														
 
															+	public void requestRejectedHandlerInvokedWhenOperationalObservationRegistry() throws ServletException, IOException {
														
 
															+		loadConfig(ObservationRegistryConfig.class);
														
 
															+		this.request.setServletPath("/spring");
														
 
															+		this.request.setRequestURI("/spring/\u0019path");
														
 
															+		this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
														
 
															+		assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_BAD_REQUEST);
														
 
															+	}
														
 
															+
														
 
															 	@Test
														
 
															 	public void ignoringMvcMatcherServletPath() throws Exception {
														
 
															 		loadConfig(MvcMatcherServletPathConfig.class, LegacyMvcMatchingConfig.class);