Spring No more information about error in response to request in controller (after updated spring)

Hello.

I updated to spring boot v3.0.4 from 2.7.

And I began to differ in the answers in the controller routes in some cases. I have dependencies:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

And the method in controller:

@GetMapping(value = "/path/{*vdsPath}")
public void getObject(@PathVariable String vdsPath,
                      final HttpServletRequest request,
                      final HttpServletResponse response) {
    System.out.println(vdsPath);
    }

Spring Security has class StrictHttpFirewall and method rejectedBlocklistedUrls:

private void rejectedBlocklistedUrls(HttpServletRequest request) {
    for (String forbidden : this.encodedUrlBlocklist) {
        if (encodedUrlContains(request, forbidden)) {
            throw new RequestRejectedException(
                    "The request was rejected because the URL contained a potentially malicious String \""
                            + forbidden + "\"");
        }
    }
    for (String forbidden : this.decodedUrlBlocklist) {
        if (decodedUrlContains(request, forbidden)) {
            throw new RequestRejectedException(
                    "The request was rejected because the URL contained a potentially malicious String \""
                            + forbidden + "\"");
        }
    }
}

When i do a request to http://localhost/path/dir - Everything is fine. When i do a request to http://localhost/path//dir - the request gets into the method rejectedBlocklistedUrls to the section "throw new RequestRejectedException". In Spring Boot 5 the reponse was:

{
    "error": "Internal Server Error",
    "message": "The request was rejected because the URL contained a potentially malicious String \"//\"",
    "path": "/path//dir/",
    "status": 500,
}

And in the console was a error and stacktrace:

org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String "//"
    at org.springframework.security.web.firewall.StrictHttpFirewall.rejectedBlocklistedUrls(StrictHttpFirewall.java:535) ~[spring-security-web-5.7.6.jar:5.7.6]
    at org.springframework.security.web.firewall.StrictHttpFirewall.getFirewalledRequest(StrictHttpFirewall.java:505) ~[spring-security-web-5.7.6.jar:5.7.6]
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:206) ~[spring-security-web-5.7.6.jar:5.7.6]

But with Spring Boot 6 the answer became:

{
    "error": "Bad Request",
    "message": "No message available",
    "path": "/path//dir/",
    "status": 400,
}

And no information about error in the console.

Is there any way to configure it to return the old behavior? Or maybe it's a bug?

Comment From: bclozel

This change has been introduced in Spring Security with https://github.com/spring-projects/spring-security/issues/7568. I'm closing this issue as it's not related to Spring Framework. Thanks!