Spring Security Pre/PostAuthorize should not ignore HandleAuthorizationDenied#handlerClass when ApplicationContext is not provided

A test like this:

public class HandleTests {

    @Test
    public void test() {
       AuthorizationProxyFactory proxyFactory = AuthorizationAdvisorProxyFactory.withDefaults();
       Account account = (Account) proxyFactory.proxy(new Account());
       assertThat(account.getAccountNumber()).isNull();
    }

    public static class Account {
       @PreAuthorize("denyAll")
       @HandleAuthorizationDenied(handlerClass = NullMethodAuthorizationDeniedHandler.class)
       public String getAccountNumber() {
          return "123";
       }
    }

    public class NullMethodAuthorizationDeniedHandler implements MethodAuthorizationDeniedHandler {
       @Override
       public Object handleDeniedInvocation(MethodInvocation methodInvocation, AuthorizationResult authorizationResult) {
          return null;
       }
    }
}

Will fall back to throwing an exception since there is no application context provided to PostAuthorizeAuthorizationManager.

Instead, it should at least error so the application doesn't get the impression that their handler class is being used.

Comment From: jzheaux

Let's backport #15496 instead.