diff --git a/src/Controller/Component/SecurityComponent.php b/src/Controller/Component/SecurityComponent.php
index 7877d589839..923f28e862e 100644
--- a/src/Controller/Component/SecurityComponent.php
+++ b/src/Controller/Component/SecurityComponent.php
@@ -106,37 +106,29 @@ public function startup(Event $event)
         $this->_action = $this->request->params['action'];
         try {
             $this->_secureRequired($controller);
-        } catch (SecurityException $se) {
-            $this->blackHole($controller, $se->getType(), $se);
-        }
-        try {
             $this->_authRequired($controller);
-        } catch (AuthSecurityException $ase) {
-            $this->blackHole($controller, $ase->getType(), $ase);
-        }
-
 
-        $hasData = !empty($this->request->data);
-        $isNotRequestAction = (
-            !isset($controller->request->params['requested']) ||
-            $controller->request->params['requested'] != 1
-        );
+            $hasData = !empty($this->request->data);
+            $isNotRequestAction = (
+                !isset($controller->request->params['requested']) ||
+                $controller->request->params['requested'] != 1
+            );
 
-        if ($this->_action === $this->_config['blackHoleCallback']) {
-            return $this->blackHole($controller, 'auth');
-        }
+            if ($this->_action === $this->_config['blackHoleCallback']) {
+                throw new AuthSecurityException(sprintf('Action %s is defined as the blackhole callback.', $this->_action));
+            }
 
-        if (!in_array($this->_action, (array)$this->_config['unlockedActions']) &&
-            $hasData && $isNotRequestAction
-        ) {
-            if ($this->_config['validatePost']) {
-                try {
+            if (!in_array($this->_action, (array)$this->_config['unlockedActions']) &&
+                $hasData && $isNotRequestAction
+            ) {
+                if ($this->_config['validatePost']) {
                     $this->_validatePost($controller);
-                } catch (SecurityException $se) {
-                    return $this->blackHole($controller, $se->getType(), $se);
                 }
             }
+        } catch (SecurityException $se) {
+            $this->blackHole($controller, $se->getType(), $se);
         }
+
         $this->generateToken($controller->request);
         if ($hasData && is_array($controller->request->data)) {
             unset($controller->request->data['_Token']);
@@ -188,6 +180,7 @@ public function requireAuth($actions)
      *
      * @param \Cake\Controller\Controller $controller Instantiating controller
      * @param string $error Error method
+     * @param SecurityException $exception thrown by validate methods, passed only in debug mode
      * @return mixed If specified, controller blackHoleCallback's response, or no return otherwise
      * @see SecurityComponent::$blackHoleCallback
      * @link http://book.cakephp.org/3.0/en/controllers/components/security.html#handling-blackhole-callbacks