200 response is returned when ObservationMarkingRequestRejectedHandler is in use

[philwebb]

Describe the bug
When using Micrometer Observability the following code configures an ObservationMarkingRequestRejectedHandler:

spring-security/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java

Line 313 in 7456c47

.setRequestRejectedHandler(new ObservationMarkingRequestRejectedHandler(this.observationRegistry));

This handler replaces the HttpStatusRequestRejectedHandler which means that 200 responses get returned instead of 400.

To Reproduce
Run https://github.com/philwebb/whats-new-in-spring-boot-3-0 and hit a URL with two slashes.

$ http localhost:8080/dog///
HTTP/1.1 200 
Connection: keep-alive
Content-Length: 0
Date: Fri, 13 Jan 2023 23:22:39 GMT
Keep-Alive: timeout=60

Expected behavior
The above should return 400

Sample
(not minimal)

Run https://github.com/philwebb/whats-new-in-spring-boot-3-0

[philwebb]

@jzheaux Should the same CompositeRequestRejectedHandler logic be applied if the user has called the requestRejectedHandler(...) method? Or are they expected to wire up their own ObservationMarkingRequestRejectedHandler in such cases?

spring-security/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java

Line 311 in c3563df

filterChainProxy.setRequestRejectedHandler(this.requestRejectedHandler);