Add reasons to AuthorizationDecisions

Closes gh-9287

Author: marcusdacoregio

core/src/main/java/org/springframework/security/authorization/AuthorityAuthorizationDecision.java

@@ -0,0 +1,45 @@
+/*
+ * Copyright 2002-2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.authorization;
+
+import java.util.Collection;
+
+/**
+ * Represents an {@link AuthorizationDecision} based on a collection of authorities
+ *
+ * @author Marcus Da Coregio
+ * @since 5.6
+ */
+class AuthorityAuthorizationDecision extends AuthorizationDecision {
+
+	private final Collection<String> authorities;
+
+	AuthorityAuthorizationDecision(boolean granted, Collection<String> authorities) {
+		super(granted);
+		this.authorities = authorities;
+	}
+
+	Collection<String> getAuthorities() {
+		return this.authorities;
+	}
+
+	@Override
+	public String toString() {
+		return getClass().getSimpleName() + " [" + "granted=" + isGranted() + ", authorities=" + this.authorities + ']';
+	}
+
+}

core/src/main/java/org/springframework/security/authorization/AuthorityAuthorizationManager.java

@@ -124,7 +124,7 @@ private static String[] toNamedRolesArray(String rolePrefix, String[] roles) {
 	@Override
 	public AuthorizationDecision check(Supplier<Authentication> authentication, T object) {
 		boolean granted = isGranted(authentication.get());
-		return new AuthorizationDecision(granted);
+		return new AuthorityAuthorizationDecision(granted, this.authorities);
 	}
 
 	private boolean isGranted(Authentication authentication) {

core/src/main/java/org/springframework/security/authorization/AuthorityReactiveAuthorizationManager.java

@@ -48,8 +48,8 @@ public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, T
 				.flatMapIterable(Authentication::getAuthorities)
 				.map(GrantedAuthority::getAuthority)
 				.any(this.authorities::contains)
-				.map(AuthorizationDecision::new)
-				.defaultIfEmpty(new AuthorizationDecision(false));
+				.map((granted) -> ((AuthorizationDecision) new AuthorityAuthorizationDecision(granted, this.authorities)))
+				.defaultIfEmpty(new AuthorityAuthorizationDecision(false, this.authorities));
 		// @formatter:on
 	}
 

core/src/main/java/org/springframework/security/authorization/AuthorizationDecision.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -32,4 +32,9 @@ public boolean isGranted() {
 		return this.granted;
 	}
 
+	@Override
+	public String toString() {
+		return getClass().getSimpleName() + " [granted=" + this.granted + "]";
+	}
+
 }

core/src/main/java/org/springframework/security/authorization/method/ExpressionAttribute.java

@@ -49,4 +49,10 @@ Expression getExpression() {
 		return this.expression;
 	}
 
+	@Override
+	public String toString() {
+		return getClass().getSimpleName() + " [Expression="
+				+ ((this.expression != null) ? this.expression.getExpressionString() : null) + "]";
+	}
+
 }

core/src/main/java/org/springframework/security/authorization/method/ExpressionAttributeAuthorizationDecision.java

@@ -0,0 +1,46 @@
+/*
+ * Copyright 2002-2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.authorization.method;
+
+import org.springframework.security.authorization.AuthorizationDecision;
+
+/**
+ * Represents an {@link AuthorizationDecision} based on a {@link ExpressionAttribute}
+ *
+ * @author Marcus Da Coregio
+ * @since 5.6
+ */
+class ExpressionAttributeAuthorizationDecision extends AuthorizationDecision {
+
+	private final ExpressionAttribute expressionAttribute;
+
+	ExpressionAttributeAuthorizationDecision(boolean granted, ExpressionAttribute expressionAttribute) {
+		super(granted);
+		this.expressionAttribute = expressionAttribute;
+	}
+
+	ExpressionAttribute getExpressionAttribute() {
+		return this.expressionAttribute;
+	}
+
+	@Override
+	public String toString() {
+		return getClass().getSimpleName() + " [" + "granted=" + isGranted() + ", expressionAttribute="
+				+ this.expressionAttribute + ']';
+	}
+
+}

core/src/main/java/org/springframework/security/authorization/method/PostAuthorizeAuthorizationManager.java

@@ -76,7 +76,7 @@ public AuthorizationDecision check(Supplier<Authentication> authentication, Meth
 				mi.getMethodInvocation());
 		this.expressionHandler.setReturnObject(mi.getResult(), ctx);
 		boolean granted = ExpressionUtils.evaluateAsBoolean(attribute.getExpression(), ctx);
-		return new AuthorizationDecision(granted);
+		return new ExpressionAttributeAuthorizationDecision(granted, attribute);
 	}
 
 	private final class PostAuthorizeExpressionAttributeRegistry

core/src/main/java/org/springframework/security/authorization/method/PreAuthorizeAuthorizationManager.java

@@ -74,7 +74,7 @@ public AuthorizationDecision check(Supplier<Authentication> authentication, Meth
 		}
 		EvaluationContext ctx = this.expressionHandler.createEvaluationContext(authentication.get(), mi);
 		boolean granted = ExpressionUtils.evaluateAsBoolean(attribute.getExpression(), ctx);
-		return new AuthorizationDecision(granted);
+		return new ExpressionAttributeAuthorizationDecision(granted, attribute);
 	}
 
 	private final class PreAuthorizeExpressionAttributeRegistry