Exceptions in this module are bypassing @ControllerAdvice

[nkavian]

Describe the bug
When this module throws an exception, it's somehow bypassing @ControllerAdvice and renders the stack trace into the browser. The expected behavior is that the configured @ControllerAdvice should be called like all other exceptions so that I can display an appropriate error HTML. Rendering the stack trace is also against security best practices.

To Reproduce

1. Create a controller advice to catch all Throwables, something like:

    @ExceptionHandler(Throwable.class)
    @ResponseStatus(code = HttpStatus.INTERNAL_SERVER_ERROR)
    public Object exception(final HttpServletRequest request, final Exception exception) {
        System.out.println("this is never called");
        return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).build();
    }

2. Load your sample JDBC application.
3. While running, rename the the attributes table so it no longer exists; i.e. we are trying to cause any exception, but assume this scenario is like a database or network connectivity issue.
4. Browse to your app.
5. Watch a stack trace being rendered to the screen and the above controller advice method is never called.
6. If I perform the same steps with other tables I use in my application, the above method is called and I am able to render an appropriate HTML error page.
7. Looks like bugsnag's unhandled exceptions is not even called so I won't even know there was a user experience problem or error. Since a session is processed very early in the filtering, if there is a failure, it will cause me to be blind. Let's say the database is down, your bug here will trigger, and I would not have received a bugsnag alert, for let's say, some other table not being accessible which I do receive alerts on.

Expected behavior
The expected behavior is that the configured @ControllerAdvice should be called like all other exceptions so that I can display an appropriate error HTML.

In terms of PCI security, devops are obligated to hide application server versions. So the above error is cause not only the stack trace but also prints in the footer Apache Tomcat/9.0.17. The purpose behind this PCI security item is that hackers will try to sniff application versions so that they can find bugs affecting that application version and attack.

Support ControllerAdvice handling as well as support unhandled exceptions correctly so that Bugsnag can detect it. Just to reiterate, you display a stack trace in the browser for customers to see, you send it to the console output/log file which is not monitored and likely deleted when the cluster is redeployed, and so this amounts to silently failing and swallowing the errors. This might be okay only in a development environment when running the code locally..