Spring Security Boot's /error page not accessible in certain scenarios after updating to 5.6.2

After updating from 5.6.1 to 5.6.2 (by updating from Boot 2.6.3 to 2.6.4), the Boot /error page isn't accessible anymore in certain cases. Here's a sample app with an integration test that showcases the issue: spring-boot-errorpage-security-issue.zip

I reported this as a Boot issue first (as I wasn't sure what the root problem is). Andy Wilkinson had a look and concluded that this is related to Spring Security rather than the way that Boot sets up its /error page. There are workarounds, like explicitly permitting access to /error or using authorizeRequests instead of authorizeHttpRequests, but without additional info I do expect this to be a regression bug.

Comment From: jkuipers

Hey, I was wondering if you could at least confirm that this is considered a bug. Also, not sure if you saw Andy's comment in the Boot-issue, but when you use authorizeRequests instead of authorizeHttpRequests the behavior is as expected.

Comment From: marcusdacoregio

Hi @jkuipers, this is probably related to https://github.com/spring-projects/spring-security/issues/10950.

You can see in the debug logs the following: Abstaining since did not find matching RequestMatcher, and there was a bug with the AuthorizationManagerWebInvocationPrivilegeEvaluator where it denied access if there was no decision, also known as AuthorizationDecision == null.

When using authorizeRequests() it works because it uses the DefaultWebInvocationPrivilegeEvaluator.

Can you please try the version 5.6.3-SNAPSHOT of Spring Security and confirm if it works?

Comment From: jkuipers

I can confirm that the integration tests passes with 5.6.3-SNAPSHOT. Your explanation makes sense, so with that I will close this issue.

Comment From: marcusdacoregio

Thanks for verifying @jkuipers. Have a great weekend!