We recently started using the @PreAuthorize annotation with our REST endpoints. It works great, however, I did have a question regarding the HTTP code returned when issuing a GET vs. a POST or PUT. It appears that when a user is not authorized to access the controller's REST endpoint that the HTTP status returned is different for GET and PUT/POST. So for example, if I have an endpoint that is a GET and has a @PreAuthorize annotation and the user doesn't have access, a 403 Forbidden is returned. This is what I expect. If the same annotation is then placed on a controller method that is a POST or a PUT, the HTTP response is 405 Method Not Allowed. When stepping through the code you can see that the underlying security filter returns a 403, but in the POST/PUT scenario the status code is dropped/ignored and replaced with a 405, much like it does when a NullPointerExcpetion occurs in your controller code. Is this the expected behavior or should a 403 Forbidden always be returned for users who do not have access to an end point?