From a3c2733d0b9908ab1724139944a062567a7a6705 Mon Sep 17 00:00:00 2001
From: Swordsteel <swordsteel@gmail.com>
Date: Thu, 31 Jul 2025 22:46:45 +0200
Subject: [PATCH] add UserAccessDeniedHandler make 404 on 401

---
 .../hlaeja/configuration/SecurityConfiguration.kt |  2 ++
 .../security/handler/UserAccessDeniedHandler.kt   | 15 +++++++++++++++
 2 files changed, 17 insertions(+)
 create mode 100644 src/main/kotlin/ltd/hlaeja/security/handler/UserAccessDeniedHandler.kt

diff --git a/src/main/kotlin/ltd/hlaeja/configuration/SecurityConfiguration.kt b/src/main/kotlin/ltd/hlaeja/configuration/SecurityConfiguration.kt
index 977bf01..71a6bc5 100644
--- a/src/main/kotlin/ltd/hlaeja/configuration/SecurityConfiguration.kt
+++ b/src/main/kotlin/ltd/hlaeja/configuration/SecurityConfiguration.kt
@@ -1,6 +1,7 @@
 package ltd.hlaeja.configuration
 
 import ltd.hlaeja.security.handler.CsrfAccessDeniedHandler
+import ltd.hlaeja.security.handler.UserAccessDeniedHandler
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 import org.springframework.http.HttpStatus.FOUND
@@ -17,6 +18,7 @@ class SecurityConfiguration {
     @Bean
     fun securityWebFilterChain(serverHttpSecurity: ServerHttpSecurity): SecurityWebFilterChain = serverHttpSecurity
         .csrf { it.accessDeniedHandler(CsrfAccessDeniedHandler()) }
+        .exceptionHandling { it.accessDeniedHandler(UserAccessDeniedHandler()) }
         .authorizeExchange(::authorizeExchange)
         .formLogin(::formLogin)
         .logout(::logout)
diff --git a/src/main/kotlin/ltd/hlaeja/security/handler/UserAccessDeniedHandler.kt b/src/main/kotlin/ltd/hlaeja/security/handler/UserAccessDeniedHandler.kt
new file mode 100644
index 0000000..4771b44
--- /dev/null
+++ b/src/main/kotlin/ltd/hlaeja/security/handler/UserAccessDeniedHandler.kt
@@ -0,0 +1,15 @@
+package ltd.hlaeja.security.handler
+
+import org.springframework.http.HttpStatus.NOT_FOUND
+import org.springframework.security.access.AccessDeniedException
+import org.springframework.security.web.server.authorization.ServerAccessDeniedHandler
+import org.springframework.web.server.ResponseStatusException
+import org.springframework.web.server.ServerWebExchange
+import reactor.core.publisher.Mono
+
+class UserAccessDeniedHandler : ServerAccessDeniedHandler {
+    override fun handle(
+        exchange: ServerWebExchange,
+        denied: AccessDeniedException,
+    ): Mono<Void> = Mono.error(ResponseStatusException(NOT_FOUND, "Access denied ${exchange.request.path}", denied))
+}