Skip to content

Support Expressions in Method Authorization Denied Handlers #14857

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Tracked by #14595
marcusdacoregio opened this issue Apr 5, 2024 · 1 comment
Open
Tracked by #14595

Support Expressions in Method Authorization Denied Handlers #14857

marcusdacoregio opened this issue Apr 5, 2024 · 1 comment
Labels
in: core An issue in spring-security-core type: enhancement A general enhancement

Comments

@marcusdacoregio
Copy link
Contributor

marcusdacoregio commented Apr 5, 2024
edited by jzheaux
Loading

We should consider supporting expressions in method authorization handlers for simple setups. Currently, if you want to handle authorization denied and map the return value to null, you must create a MethodAuthorizationDeniedHandler/PostProcessor class and expose it as a bean:

@HandleAuthorizationDenied(handlerClass = Null.class)
public String getUserEmail() {
    // ...
}

@Component
public class Null implements MethodAuthorizationDeniedHandler {
    @Override
    public Object handle(MethodInvocation methodInvocation, AuthorizationResult result) {
        return null;
    }
}

That is a little bit too complicated to just return null. A simpler setup could be:

@HandleAuthorizationDenied(handlerExpression = "null")
public String getUserEmail() {
    // ...
}

@HandleAuthorizationDenied(handlerExpression = "***")
public String getUserEmail() {
    // ...
}

Related:
@marcusdacoregio marcusdacoregio added in: core An issue in spring-security-core type: enhancement A general enhancement labels Apr 5, 2024
@marcusdacoregio marcusdacoregio self-assigned this Apr 5, 2024
@marcusdacoregio marcusdacoregio mentioned this issue Apr 5, 2024
Open
16 tasks
@marcusdacoregio marcusdacoregio changed the title Support Expressions in Method Authorization Handlers Support Expressions in Method Authorization Denied Handlers Apr 9, 2024
franticticktick pushed a commit to franticticktick/spring-security that referenced this issue Apr 15, 2024
Add support expressions in MethodAuthorizationDeniedHandler
c42d175 
Closes spring-projectsgh-14857
@franticticktick franticticktick mentioned this issue Apr 15, 2024
Closed
franticticktick pushed a commit to franticticktick/spring-security that referenced this issue Apr 15, 2024
Add support expressions in MethodAuthorizationDeniedHandler
905324f 
Closes spring-projectsgh-14857
@marcusdacoregio
Copy link
Contributor Author

marcusdacoregio commented Jul 15, 2024
edited
Loading

After talking with the team about this feature we are not sure that there should be an expression attribute in the annotation, doing two different things (expression and handlerClass) may be confusing.

Instead, @HandleAuthorizationDenied annotation should stay as it is and we should consider introducing new annotations for the most common fallback return values, like null or a masked String value. Meta-annotations can be used to achieve that goal, for example:

@Target({ ElementType.METHOD, ElementType.TYPE })
@Retention(RetentionPolicy.RUNTIME)
@Inherited
@Documented
@HandleAuthorizationDenied(handlerClass = NullMethodAuthorizationDeniedHandler.class);
public @interface NullWhenAuthorizationDenied { }

@Target({ ElementType.METHOD, ElementType.TYPE })
@Retention(RetentionPolicy.RUNTIME)
@Inherited
@Documented
@HandleAuthorizationDenied(handlerClass = StringMethodAuthorizationDeniedHandler.class);
public @interface StringWhenAuthorizationDenied {
    String value();
}

NullMethodAuthorizationDeniedHandler and StringMethodAuthorizationDeniedHandler would be provided by the framework, then, when resolving the handlerClass, there is no need to look for it in the ApplicationContext.

I believe that we should gather more feedback from the community before introducing those new annotations since they can be easily achieved in the current state.

@marcusdacoregio marcusdacoregio removed their assignment Sep 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
in: core An issue in spring-security-core type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support expressions in MethodAuthorizationDeniedHandler franticticktick/spring-security
1 participant
@marcusdacoregio