Spring Security SEC-1568: NotFoundException is thrown instead of AcessDeniedException

Andriy Zhdanov (Migrated from SEC-1568) said:

AclAuthorizationStrategyImpl.securityCheck() should throw AccessDeniedException, however NotFoundException is thrown instead, while trying to get permission via ACEs within the ACL using acl.isGranted().

It complicates diagnosing real problem when using spring-security.

I faced this problem in spring-security-acl-2.0.4, but looking at latest sources on branch master, I can see the strategy is the same, but now in DefaultPermissionGrantingStrategy.

I think NotFoundException from Acl.isGranted() should be wrapped with AccessDeniedException in AclAuthorizationStrategyImp.securityCheck().

Of course I can write my own strategy, and use it instead, but I'd like, if not fix this, clarify the point of such behaviour.

Comment From: rwinch

If a NotFoundException is thrown that means that the system is incorrectly setup and an action need to be taken while an AccessDeniedException just means that the user doesn't have permissions. These scenarios need to be treated very differently and thus require different Exception types.