Spring Security 200 response is returned when ObservationMarkingRequestRejectedHandler is in use

Describe the bug When using Micrometer Observability the following code configures an ObservationMarkingRequestRejectedHandler:

https://github.com/spring-projects/spring-security/blob/7456c4756808920617330abd8e6280993cf832f6/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java#L313

This handler replaces the HttpStatusRequestRejectedHandler which means that 200 responses get returned instead of 400.

To Reproduce Run https://github.com/philwebb/whats-new-in-spring-boot-3-0 and hit a URL with two slashes.

$ http localhost:8080/dog///
HTTP/1.1 200 
Connection: keep-alive
Content-Length: 0
Date: Fri, 13 Jan 2023 23:22:39 GMT
Keep-Alive: timeout=60

Expected behavior The above should return 400

Sample (not minimal)

Run https://github.com/philwebb/whats-new-in-spring-boot-3-0

Comment From: philwebb

@jzheaux Should the same CompositeRequestRejectedHandler logic be applied if the user has called the requestRejectedHandler(...) method? Or are they expected to wire up their own ObservationMarkingRequestRejectedHandler in such cases?

https://github.com/spring-projects/spring-security/blob/c3563df25abd9d8e67d0199746d7ca8972bf34d0/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java#L311