Spring Security MockMvc throws exception instead checking 401

In Spring Cloud Dataflow while upgrading from boot 2.4 to 2.5 one of a mockmvc tests started to fail by throwing an AuthenticationServiceException instead of checking 401 what happens when a real app is running.

Test that don't work anymore is:

localDataflowResource.getMockMvc()
  .perform(get("/")
  .header("Authorization", "bearer 123456"))
  .andExpect(status().isUnauthorized());

https://github.com/spring-cloud/spring-cloud-dataflow/blob/5fa0288e5d5f4bab70f65468d495ce5d54355267/spring-cloud-starter-dataflow-server/src/test/java/org/springframework/cloud/dataflow/server/single/security/LocalServerSecurityWithOAuth2Tests.java#L284-L288

I think this was due to a change in error handling with https://github.com/spring-projects/spring-security/commit/ccb3b028884ccffb585c36a4ff03b763b1a81a10

I'm not sure where we should change something so that we could test these again, or if we're now required to do some additional setup for tests.

Comment From: jzheaux

Hi, @jvalkeal, thanks for the report. I wonder if it's related to how OpaqueTokenIntrospector is deciding to send an OAuth2AuthenticationException.

There doesn't appear to be anything wrong with the test itself. Do you have a report that prints out the exception that you get? Or, are you able to provide a minimal sample to simplify reproduction of the issue?

Comment From: jvalkeal

Maybe there's a difference how real webmvc vs. mockmvc handles things when AuthenticationFailureHandler itself throws an exception.

Comment From: jzheaux

@jvalkeal, when I run the test you indicated, it fails because the backing authorization server throws a 400 error when the test token is specified. According to the OAuth 2.0 Introspection RFC, a 4xx error means a client error, which is why Spring Security throws an AuthenticationServiceException, indicating an application configuration issue.

That said, I believe this authorization server is returning the 400 error incorrectly. For reference, I filed https://github.com/spring-projects/spring-security-oauth/issues/1942.

I'm going to close this issue, though you might consider changing over to Spring Authorization Server which should allow you to remove the AuthenticationServiceException.