When using @AuthorizeReturnObject on a controller method like so:
@AuthorizeReturnObject
@GetMapping(...)
public MyObject getObject() {
return ...
}
Any unhandled authorization failures are not propagated to the ExceptionTranslationFilter and instead result in a 500.
Security currently supports using @HandleAuthorizationDenied to provide behavior like ignoring that field when the response is serialized. However, it would be helpful to be able to leverage the logic in ExceptionTranslationFilter, including calling any configured AccessDeniedHandler.