HttpStatusServerAccessDeniedHandler use injected HttpStatus

Fixes: gh-5078

Author: rwinch

web/src/main/java/org/springframework/security/web/server/authorization/HttpStatusServerAccessDeniedHandler.java

@@ -46,7 +46,7 @@ public HttpStatusServerAccessDeniedHandler(HttpStatus httpStatus) {
 	public Mono<Void> handle(ServerWebExchange exchange, AccessDeniedException e) {
 		return Mono.defer(() -> Mono.just(exchange.getResponse()))
 			.flatMap(response -> {
-				response.setStatusCode(HttpStatus.FORBIDDEN);
+				response.setStatusCode(this.httpStatus);
 				response.getHeaders().setContentType(MediaType.TEXT_PLAIN);
 				DataBufferFactory dataBufferFactory = response.bufferFactory();
 				DataBuffer buffer = dataBufferFactory.wrap(e.getMessage().getBytes(

web/src/test/java/org/springframework/security/web/server/authorization/HttpStatusServerAccessDeniedHandlerTests.java

@@ -38,7 +38,7 @@
 public class HttpStatusServerAccessDeniedHandlerTests {
 	@Mock
 	private ServerWebExchange exchange;
-	private final HttpStatus httpStatus = HttpStatus.FORBIDDEN;
+	private HttpStatus httpStatus = HttpStatus.FORBIDDEN;
 	private HttpStatusServerAccessDeniedHandler handler = new HttpStatusServerAccessDeniedHandler(this.httpStatus);
 
 	private AccessDeniedException exception = new AccessDeniedException("Forbidden");
@@ -63,4 +63,15 @@ public void commenceWhenSubscribeThenStatusSet() {
 
 		assertThat(this.exchange.getResponse().getStatusCode()).isEqualTo(this.httpStatus);
 	}
+
+	@Test
+	public void commenceWhenCustomStatusSubscribeThenStatusSet() {
+		this.httpStatus = HttpStatus.NOT_FOUND;
+		this.handler = new HttpStatusServerAccessDeniedHandler(this.httpStatus);
+		this.exchange = MockServerWebExchange.from(MockServerHttpRequest.get("/").build());
+
+		this.handler.handle(this.exchange, this.exception).block();
+
+		assertThat(this.exchange.getResponse().getStatusCode()).isEqualTo(this.httpStatus);
+	}
 }