Spring Security UniqueSecurityAnnotationScanner should consider annotation on target class level as fallback

public abstract class AbstractController {

    @GetMapping("/get")
    public String get() {
        return "OK";
    }

}

@RestController
@Secured("USER")
public class DemoController extends AbstractController {

    /*
    public String get() {
        return super.get();
    }
    */
}

demoController.get() is not protected by @Secured("USER"), we have to redefine it again.

I tried to fix it by adding

        annotations = findClosestClassAnnotations(targetClass, new HashSet<>());
        if (!annotations.isEmpty()) {
            return annotations;
        }

after https://github.com/spring-projects/spring-security/blob/b9f3a28678af525e70cd5aa00abc816163cdb4fe/core/src/main/java/org/springframework/security/core/annotation/UniqueSecurityAnnotationScanner.java#L159-L162 but it broken GH-15352.

Comment From: quaff

Spring Security should skip intercepting @ExceptionHandler methods other than ignore annotations on target class.