Spring Security BUG : Cors changing SimpleUrlMapping with CorsConfig to ResourceHttpRequestHandler

Describe the bug Have a SimpleUrlMapping with CorsConfig passing all test for several months now. Am testing with Cors and am getting weird errors:

Caused by: java.lang.IllegalStateException: Cannot call sendError() after the response has been committed
    at org.apache.catalina.connector.ResponseFacade.sendError(ResponseFacade.java:472)
    at javax.servlet.http.HttpServletResponseWrapper.sendError(HttpServletResponseWrapper.java:129)
    at javax.servlet.http.HttpServletResponseWrapper.sendError(HttpServletResponseWrapper.java:129)
    at javax.servlet.http.HttpServletResponseWrapper.sendError(HttpServletResponseWrapper.java:129)
    at org.springframework.security.web.util.OnCommittedResponseWrapper.sendError(OnCommittedResponseWrapper.java:116)
    at org.springframework.web.servlet.resource.ResourceHttpRequestHandler.handleRequest(ResourceHttpRequestHandler.java:561)
    at org.springframework.web.servlet.mvc.HttpRequestHandlerAdapter.handle(HttpRequestHandlerAdapter.java:52)
    at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1067)
    at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:963)
    at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006)

NOTE: Made sure to use CorsUtils.isCorsRequest(request) in a filter AFTER Cors to make sure it was a Cors request

The sendError appears to be from it not being able to find the mapping/resource which makes sense as it is supposed to use SimpleUrlHandlerMapping and not ResourceHttpRequestHandler

As stated earlier, when running tests without CORS, it is fine. Buts Cors seems to be OVERRIDING /DEFAULTING back to this.

Here is the definition of my SimpleUrlHandlerMapping:

        SimpleUrlHandlerMapping mapping = new SimpleUrlHandlerMapping();
        mapping.registerHandlers(urlMap)
        mapping.setUrlMap(urlMap);
        mapping.setOrder(Integer.MAX_VALUE - 2);
        mapping.setInterceptors(new Object[]{new ApiInterceptor(throttleCacheService, exchangeService, batchService, chainService, traceExchangeService, apiProperties)})
        mapping.setApplicationContext(context);
        mapping.setCorsConfigurations(corsMap);
        return mapping;

I have created a workaround by using a FORWARD to bypass and get expected behaviour and the SimpleUrlHandlerMapping handles it normally. This isn't acceptible for security however; it was just to pinpoint the error.

To Reproduce Can provide access to private repo

Expected behavior Expect SimpleUrlHandleMapping to handle errors and mapping and not default to another class that it is overriding

Sample Hard to boil down mapping, security, MVC to a minimal reproducible sample :) Let me know what YOU need

Comment From: orubel

Filing in Spring Framework