Skip to content

Mismatch Between DefaultLoginPageGeneratingFilter and DelegatingMissingAuthorityAccessDeniedHandler #18000

New issue
New issue
Closed
Closed
Mismatch Between DefaultLoginPageGeneratingFilter and DelegatingMissingAuthorityAccessDeniedHandler#18000
Assignees
jzheaux
Labels
for: team-attentionThis ticket should be discussed as a team before proceedingin: webAn issue in web modules (web, webmvc)type: bugA general bug
Milestone
7.0.0-RC1
@rwinch

Description

@rwinch
rwinch
opened on Oct 3, 2025

DelegatingMissingAuthorityAccessDeniedHandler only sets a single missing authority while DefaultLoginPageGeneratingFilter will allow for more than one authority to be missing. One could argue that this gives the default login page flexibility, but I'd argue that this (if anything) backwards. The default login page is just that a default and typically overridden. We are not leveraging this UI feature and so it should not be implemented. On the contrary DelegatingMissingAuthorityAccessDeniedHandler is intended to be production use and it only ever sets a single missing authority meaning that a custom UI could not leverage this functionality with build in Spring Security code (they'd need a custom AuthorizationDeniedHandler or similar).

Metadata

Metadata

Assignees

Labels

for: team-attentionThis ticket should be discussed as a team before proceedingin: webAn issue in web modules (web, webmvc)type: bugA general bug

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions