我有一个spring引导库，它用

@Component
public class AuthenticationSuccessListener implements ApplicationListener<AuthenticationSuccessEvent> {

    @Override
    public void onApplicationEvent(AuthenticationSuccessEvent event) {
        // this gets called
    }
}

和

@Component
public class CustomAccessDeniedHandler implements AccessDeniedHandler
{
    @Override
    public void handle
    (
        HttpServletRequest    request,
        HttpServletResponse   response,
        AccessDeniedException exception
    )
    throws IOException, ServletException
    {
        // this also gets called
    }
}

身份验证成功，但访问被拒绝。日志里没有其他线索。
在身份验证和授予/拒绝访问之间会发生什么？