Merge branch '6.0.x'

Closes gh-12593

Author: jzheaux

config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java

@@ -56,7 +56,9 @@
 import org.springframework.security.web.access.intercept.AuthorizationFilter;
 import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
 import org.springframework.security.web.debug.DebugFilter;
+import org.springframework.security.web.firewall.CompositeRequestRejectedHandler;
 import org.springframework.security.web.firewall.HttpFirewall;
+import org.springframework.security.web.firewall.HttpStatusRequestRejectedHandler;
 import org.springframework.security.web.firewall.ObservationMarkingRequestRejectedHandler;
 import org.springframework.security.web.firewall.RequestRejectedHandler;
 import org.springframework.security.web.firewall.StrictHttpFirewall;
@@ -309,8 +311,10 @@ protected Filter performBuild() throws Exception {
 			filterChainProxy.setRequestRejectedHandler(this.requestRejectedHandler);
 		}
 		else if (!this.observationRegistry.isNoop()) {
-			filterChainProxy
-					.setRequestRejectedHandler(new ObservationMarkingRequestRejectedHandler(this.observationRegistry));
+			CompositeRequestRejectedHandler requestRejectedHandler = new CompositeRequestRejectedHandler(
+					new ObservationMarkingRequestRejectedHandler(this.observationRegistry),
+					new HttpStatusRequestRejectedHandler());
+			filterChainProxy.setRequestRejectedHandler(requestRejectedHandler);
 		}
 		filterChainProxy.setFilterChainDecorator(getFilterChainDecorator());
 		filterChainProxy.afterPropertiesSet();

config/src/test/java/org/springframework/security/config/annotation/web/builders/WebSecurityTests.java

@@ -18,6 +18,8 @@
 
 import java.io.IOException;
 
+import io.micrometer.observation.ObservationRegistry;
+import io.micrometer.observation.ObservationTextPublisher;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletResponse;
 import org.junit.jupiter.api.AfterEach;
@@ -104,13 +106,32 @@ public void ignoringMvcMatcher() throws Exception {
 
 	@Test
 	public void requestRejectedHandlerInvoked() throws ServletException, IOException {
+		loadConfig(DefaultConfig.class);
+		this.request.setServletPath("/spring");
+		this.request.setRequestURI("/spring/\u0019path");
+		this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
+		assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_BAD_REQUEST);
+	}
+
+	@Test
+	public void customRequestRejectedHandlerInvoked() throws ServletException, IOException {
 		loadConfig(RequestRejectedHandlerConfig.class);
 		this.request.setServletPath("/spring");
 		this.request.setRequestURI("/spring/\u0019path");
 		this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
 		assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_BAD_REQUEST);
 	}
 
+	// gh-12548
+	@Test
+	public void requestRejectedHandlerInvokedWhenOperationalObservationRegistry() throws ServletException, IOException {
+		loadConfig(ObservationRegistryConfig.class);
+		this.request.setServletPath("/spring");
+		this.request.setRequestURI("/spring/\u0019path");
+		this.springSecurityFilterChain.doFilter(this.request, this.response, this.chain);
+		assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_BAD_REQUEST);
+	}
+
 	@Test
 	public void ignoringMvcMatcherServletPath() throws Exception {
 		loadConfig(MvcMatcherServletPathConfig.class, LegacyMvcMatchingConfig.class);
@@ -143,6 +164,11 @@ public void loadConfig(Class<?>... configs) {
 		this.context.getAutowireCapableBeanFactory().autowireBean(this);
 	}
 
+	@EnableWebSecurity
+	static class DefaultConfig {
+
+	}
+
 	@EnableWebSecurity
 	@Configuration
 	@EnableWebMvc
@@ -243,4 +269,17 @@ WebSecurityCustomizer webSecurityCustomizer() {
 
 	}
 
+	@Configuration
+	@EnableWebSecurity
+	static class ObservationRegistryConfig {
+
+		@Bean
+		ObservationRegistry observationRegistry() {
+			ObservationRegistry observationRegistry = ObservationRegistry.create();
+			observationRegistry.observationConfig().observationHandler(new ObservationTextPublisher());
+			return observationRegistry;
+		}
+
+	}
+
 }