Remove blocking call from ExceptionTranslationWebFilter

This also means that the exception message is no longer retrieved from a MessageSource. This is consistent with the other WebFilters.

Closes gh-10864

web/src/main/java/org/springframework/security/web/server/authorization/ExceptionTranslationWebFilter.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -20,7 +20,6 @@ import reactor.core.publisher.Mono;
 
 import org.springframework.context.MessageSource;
 import org.springframework.context.MessageSourceAware;
-import org.springframework.context.support.MessageSourceAccessor;
 import org.springframework.http.HttpStatus;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
@@ -29,7 +28,6 @@ import org.springframework.security.authentication.AuthenticationTrustResolverIm
 import org.springframework.security.authentication.InsufficientAuthenticationException;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.core.SpringSecurityMessageSource;
 import org.springframework.security.web.server.ServerAuthenticationEntryPoint;
 import org.springframework.security.web.server.authentication.HttpBasicServerAuthenticationEntryPoint;
 import org.springframework.util.Assert;
@@ -51,8 +49,6 @@ public class ExceptionTranslationWebFilter implements WebFilter, MessageSourceAw
 
 	private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl();
 
-	protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();
-
 	@Override
 	public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
 		return chain.filter(exchange).onErrorResume(AccessDeniedException.class, (denied) -> exchange.getPrincipal()
@@ -60,8 +56,7 @@ public class ExceptionTranslationWebFilter implements WebFilter, MessageSourceAw
 						&& !(this.authenticationTrustResolver.isAnonymous((Authentication) principal)))))
 				.switchIfEmpty(commenceAuthentication(exchange,
 						new InsufficientAuthenticationException(
-								this.messages.getMessage("ExceptionTranslationWebFilter.insufficientAuthentication",
+								"Full authentication is required to access this resource")))
-										"Full authentication is required to access this resource"))))
 				.flatMap((principal) -> this.accessDeniedHandler.handle(exchange, denied)).then());
 	}
 
@@ -99,11 +94,10 @@ public class ExceptionTranslationWebFilter implements WebFilter, MessageSourceAw
 
 	/**
 	 * @since 5.5
+	 * @deprecated This class no longer retrieves error messages from a MessageSource
 	 */
-	@Override
+	@Deprecated
 	public void setMessageSource(MessageSource messageSource) {
-		Assert.notNull(messageSource, "messageSource cannot be null");
-		this.messages = new MessageSourceAccessor(messageSource);
 	}
 
 	private <T> Mono<T> commenceAuthentication(ServerWebExchange exchange, AuthenticationException denied) {

web/src/test/java/org/springframework/security/web/server/authorization/ExceptionTranslationWebFilterTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -161,9 +161,4 @@ public class ExceptionTranslationWebFilterTests {
 		assertThatIllegalArgumentException().isThrownBy(() -> this.filter.setAuthenticationTrustResolver(null));
 	}
 
-	@Test
-	public void setMessageSource() {
-		assertThatIllegalArgumentException().isThrownBy(() -> this.filter.setMessageSource(null));
-	}
-
 }