From 24a4fbfe56312c806973ce6f7e1c7cf928071970 Mon Sep 17 00:00:00 2001
From: Rob Winch <rwinch@users.noreply.github.com>
Date: Wed, 7 Mar 2018 12:28:45 -0600
Subject: [PATCH] HttpStatusServerAccessDeniedHandler use injected HttpStatus

Fixes: gh-5078
---
 .../HttpStatusServerAccessDeniedHandler.java        |  2 +-
 .../HttpStatusServerAccessDeniedHandlerTests.java   | 13 ++++++++++++-
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/web/src/main/java/org/springframework/security/web/server/authorization/HttpStatusServerAccessDeniedHandler.java b/web/src/main/java/org/springframework/security/web/server/authorization/HttpStatusServerAccessDeniedHandler.java
index 297986d7a1..9efece2b0c 100644
--- a/web/src/main/java/org/springframework/security/web/server/authorization/HttpStatusServerAccessDeniedHandler.java
+++ b/web/src/main/java/org/springframework/security/web/server/authorization/HttpStatusServerAccessDeniedHandler.java
@@ -46,7 +46,7 @@ public class HttpStatusServerAccessDeniedHandler implements ServerAccessDeniedHa
 	public Mono<Void> handle(ServerWebExchange exchange, AccessDeniedException e) {
 		return Mono.defer(() -> Mono.just(exchange.getResponse()))
 			.flatMap(response -> {
-				response.setStatusCode(HttpStatus.FORBIDDEN);
+				response.setStatusCode(this.httpStatus);
 				response.getHeaders().setContentType(MediaType.TEXT_PLAIN);
 				DataBufferFactory dataBufferFactory = response.bufferFactory();
 				DataBuffer buffer = dataBufferFactory.wrap(e.getMessage().getBytes(
diff --git a/web/src/test/java/org/springframework/security/web/server/authorization/HttpStatusServerAccessDeniedHandlerTests.java b/web/src/test/java/org/springframework/security/web/server/authorization/HttpStatusServerAccessDeniedHandlerTests.java
index 25562fd72a..87600c87ce 100644
--- a/web/src/test/java/org/springframework/security/web/server/authorization/HttpStatusServerAccessDeniedHandlerTests.java
+++ b/web/src/test/java/org/springframework/security/web/server/authorization/HttpStatusServerAccessDeniedHandlerTests.java
@@ -38,7 +38,7 @@ import static org.mockito.Mockito.verifyZeroInteractions;
 public class HttpStatusServerAccessDeniedHandlerTests {
 	@Mock
 	private ServerWebExchange exchange;
-	private final HttpStatus httpStatus = HttpStatus.FORBIDDEN;
+	private HttpStatus httpStatus = HttpStatus.FORBIDDEN;
 	private HttpStatusServerAccessDeniedHandler handler = new HttpStatusServerAccessDeniedHandler(this.httpStatus);
 
 	private AccessDeniedException exception = new AccessDeniedException("Forbidden");
@@ -63,4 +63,15 @@ public class HttpStatusServerAccessDeniedHandlerTests {
 
 		assertThat(this.exchange.getResponse().getStatusCode()).isEqualTo(this.httpStatus);
 	}
+
+	@Test
+	public void commenceWhenCustomStatusSubscribeThenStatusSet() {
+		this.httpStatus = HttpStatus.NOT_FOUND;
+		this.handler = new HttpStatusServerAccessDeniedHandler(this.httpStatus);
+		this.exchange = MockServerWebExchange.from(MockServerHttpRequest.get("/").build());
+
+		this.handler.handle(this.exchange, this.exception).block();
+
+		assertThat(this.exchange.getResponse().getStatusCode()).isEqualTo(this.httpStatus);
+	}
 }