Add @AuthorizationDeniedHandler for Method Authorization Denied Handling
Issue gh-14601
This commit is contained in:
@@ -39,6 +39,7 @@ import org.springframework.security.access.prepost.PostFilter;
|
||||
import org.springframework.security.access.prepost.PreAuthorize;
|
||||
import org.springframework.security.access.prepost.PreFilter;
|
||||
import org.springframework.security.authorization.AuthorizationResult;
|
||||
import org.springframework.security.authorization.method.AuthorizationDeniedHandler;
|
||||
import org.springframework.security.authorization.method.AuthorizeReturnObject;
|
||||
import org.springframework.security.authorization.method.MethodAuthorizationDeniedHandler;
|
||||
import org.springframework.security.authorization.method.MethodAuthorizationDeniedPostProcessor;
|
||||
@@ -127,54 +128,67 @@ public interface MethodSecurityService {
|
||||
@RequireAdminRole
|
||||
void repeatedAnnotations();
|
||||
|
||||
@PreAuthorize(value = "hasRole('ADMIN')", handlerClass = StarMaskingHandler.class)
|
||||
@PreAuthorize("hasRole('ADMIN')")
|
||||
@AuthorizationDeniedHandler(handlerClass = StarMaskingHandler.class)
|
||||
String preAuthorizeGetCardNumberIfAdmin(String cardNumber);
|
||||
|
||||
@PreAuthorize(value = "hasRole('ADMIN')", handlerClass = StartMaskingHandlerChild.class)
|
||||
@PreAuthorize("hasRole('ADMIN')")
|
||||
@AuthorizationDeniedHandler(handlerClass = StartMaskingHandlerChild.class)
|
||||
String preAuthorizeWithHandlerChildGetCardNumberIfAdmin(String cardNumber);
|
||||
|
||||
@PreAuthorize(value = "hasRole('ADMIN')", handlerClass = StarMaskingHandler.class)
|
||||
@PreAuthorize("hasRole('ADMIN')")
|
||||
@AuthorizationDeniedHandler(handlerClass = StarMaskingHandler.class)
|
||||
String preAuthorizeThrowAccessDeniedManually();
|
||||
|
||||
@PostAuthorize(value = "hasRole('ADMIN')", postProcessorClass = CardNumberMaskingPostProcessor.class)
|
||||
@PostAuthorize("hasRole('ADMIN')")
|
||||
@AuthorizationDeniedHandler(postProcessorClass = CardNumberMaskingPostProcessor.class)
|
||||
String postAuthorizeGetCardNumberIfAdmin(String cardNumber);
|
||||
|
||||
@PostAuthorize(value = "hasRole('ADMIN')", postProcessorClass = PostMaskingPostProcessor.class)
|
||||
@PostAuthorize("hasRole('ADMIN')")
|
||||
@AuthorizationDeniedHandler(postProcessorClass = PostMaskingPostProcessor.class)
|
||||
String postAuthorizeThrowAccessDeniedManually();
|
||||
|
||||
@PreAuthorize(value = "denyAll()", handlerClass = MaskAnnotationHandler.class)
|
||||
@PreAuthorize("denyAll()")
|
||||
@Mask("methodmask")
|
||||
@AuthorizationDeniedHandler(handlerClass = MaskAnnotationHandler.class)
|
||||
String preAuthorizeDeniedMethodWithMaskAnnotation();
|
||||
|
||||
@PreAuthorize(value = "denyAll()", handlerClass = MaskAnnotationHandler.class)
|
||||
@PreAuthorize("denyAll()")
|
||||
@AuthorizationDeniedHandler(handlerClass = MaskAnnotationHandler.class)
|
||||
String preAuthorizeDeniedMethodWithNoMaskAnnotation();
|
||||
|
||||
@NullDenied(role = "ADMIN")
|
||||
String postAuthorizeDeniedWithNullDenied();
|
||||
|
||||
@PostAuthorize(value = "denyAll()", postProcessorClass = MaskAnnotationPostProcessor.class)
|
||||
@PostAuthorize("denyAll()")
|
||||
@Mask("methodmask")
|
||||
@AuthorizationDeniedHandler(postProcessorClass = MaskAnnotationPostProcessor.class)
|
||||
String postAuthorizeDeniedMethodWithMaskAnnotation();
|
||||
|
||||
@PostAuthorize(value = "denyAll()", postProcessorClass = MaskAnnotationPostProcessor.class)
|
||||
@PostAuthorize("denyAll()")
|
||||
@AuthorizationDeniedHandler(postProcessorClass = MaskAnnotationPostProcessor.class)
|
||||
String postAuthorizeDeniedMethodWithNoMaskAnnotation();
|
||||
|
||||
@PreAuthorize(value = "hasRole('ADMIN')", handlerClass = MaskAnnotationHandler.class)
|
||||
@PreAuthorize("hasRole('ADMIN')")
|
||||
@Mask(expression = "@myMasker.getMask()")
|
||||
@AuthorizationDeniedHandler(handlerClass = MaskAnnotationHandler.class)
|
||||
String preAuthorizeWithMaskAnnotationUsingBean();
|
||||
|
||||
@PostAuthorize(value = "hasRole('ADMIN')", postProcessorClass = MaskAnnotationPostProcessor.class)
|
||||
@PostAuthorize("hasRole('ADMIN')")
|
||||
@Mask(expression = "@myMasker.getMask(returnObject)")
|
||||
@AuthorizationDeniedHandler(postProcessorClass = MaskAnnotationPostProcessor.class)
|
||||
String postAuthorizeWithMaskAnnotationUsingBean();
|
||||
|
||||
@AuthorizeReturnObject
|
||||
UserRecordWithEmailProtected getUserRecordWithEmailProtected();
|
||||
|
||||
@PreAuthorize(value = "hasRole('ADMIN')", handlerClass = UserFallbackDeniedHandler.class)
|
||||
@PreAuthorize("hasRole('ADMIN')")
|
||||
@AuthorizationDeniedHandler(handlerClass = UserFallbackDeniedHandler.class)
|
||||
UserRecordWithEmailProtected getUserWithFallbackWhenUnauthorized();
|
||||
|
||||
@PreAuthorize(value = "@authz.checkResult(#result)", handlerClass = MethodAuthorizationDeniedHandler.class)
|
||||
@PostAuthorize(value = "@authz.checkResult(!#result)",
|
||||
@PreAuthorize("@authz.checkResult(#result)")
|
||||
@PostAuthorize("@authz.checkResult(!#result)")
|
||||
@AuthorizationDeniedHandler(handlerClass = MethodAuthorizationDeniedHandler.class,
|
||||
postProcessorClass = MethodAuthorizationDeniedPostProcessor.class)
|
||||
String checkCustomResult(boolean result);
|
||||
|
||||
@@ -305,7 +319,8 @@ public interface MethodSecurityService {
|
||||
@Target({ ElementType.METHOD, ElementType.TYPE })
|
||||
@Retention(RetentionPolicy.RUNTIME)
|
||||
@Inherited
|
||||
@PostAuthorize(value = "hasRole('{role}')", postProcessorClass = NullPostProcessor.class)
|
||||
@PostAuthorize("hasRole('{role}')")
|
||||
@AuthorizationDeniedHandler(postProcessorClass = NullPostProcessor.class)
|
||||
@interface NullDenied {
|
||||
|
||||
String role();
|
||||
|
||||
@@ -33,6 +33,7 @@ import org.springframework.security.access.expression.method.DefaultMethodSecuri
|
||||
import org.springframework.security.access.prepost.PostAuthorize;
|
||||
import org.springframework.security.access.prepost.PreAuthorize;
|
||||
import org.springframework.security.authorization.AuthorizationResult;
|
||||
import org.springframework.security.authorization.method.AuthorizationDeniedHandler;
|
||||
import org.springframework.security.authorization.method.MethodAuthorizationDeniedHandler;
|
||||
import org.springframework.security.authorization.method.MethodAuthorizationDeniedPostProcessor;
|
||||
import org.springframework.security.authorization.method.MethodInvocationResult;
|
||||
@@ -45,48 +46,60 @@ import org.springframework.util.StringUtils;
|
||||
@ReactiveMethodSecurityService.Mask("classmask")
|
||||
public interface ReactiveMethodSecurityService {
|
||||
|
||||
@PreAuthorize(value = "hasRole('ADMIN')", handlerClass = StarMaskingHandler.class)
|
||||
@PreAuthorize("hasRole('ADMIN')")
|
||||
@AuthorizationDeniedHandler(handlerClass = StarMaskingHandler.class)
|
||||
Mono<String> preAuthorizeGetCardNumberIfAdmin(String cardNumber);
|
||||
|
||||
@PreAuthorize(value = "hasRole('ADMIN')", handlerClass = StartMaskingHandlerChild.class)
|
||||
@PreAuthorize("hasRole('ADMIN')")
|
||||
@AuthorizationDeniedHandler(handlerClass = StartMaskingHandlerChild.class)
|
||||
Mono<String> preAuthorizeWithHandlerChildGetCardNumberIfAdmin(String cardNumber);
|
||||
|
||||
@PreAuthorize(value = "hasRole('ADMIN')", handlerClass = StarMaskingHandler.class)
|
||||
@PreAuthorize("hasRole('ADMIN')")
|
||||
@AuthorizationDeniedHandler(handlerClass = StarMaskingHandler.class)
|
||||
Mono<String> preAuthorizeThrowAccessDeniedManually();
|
||||
|
||||
@PostAuthorize(value = "hasRole('ADMIN')", postProcessorClass = CardNumberMaskingPostProcessor.class)
|
||||
@PostAuthorize("hasRole('ADMIN')")
|
||||
@AuthorizationDeniedHandler(postProcessorClass = CardNumberMaskingPostProcessor.class)
|
||||
Mono<String> postAuthorizeGetCardNumberIfAdmin(String cardNumber);
|
||||
|
||||
@PostAuthorize(value = "hasRole('ADMIN')", postProcessorClass = PostMaskingPostProcessor.class)
|
||||
@PostAuthorize("hasRole('ADMIN')")
|
||||
@AuthorizationDeniedHandler(postProcessorClass = PostMaskingPostProcessor.class)
|
||||
Mono<String> postAuthorizeThrowAccessDeniedManually();
|
||||
|
||||
@PreAuthorize(value = "denyAll()", handlerClass = MaskAnnotationHandler.class)
|
||||
@PreAuthorize("denyAll()")
|
||||
@Mask("methodmask")
|
||||
@AuthorizationDeniedHandler(handlerClass = MaskAnnotationHandler.class)
|
||||
Mono<String> preAuthorizeDeniedMethodWithMaskAnnotation();
|
||||
|
||||
@PreAuthorize(value = "denyAll()", handlerClass = MaskAnnotationHandler.class)
|
||||
@PreAuthorize("denyAll()")
|
||||
@AuthorizationDeniedHandler(handlerClass = MaskAnnotationHandler.class)
|
||||
Mono<String> preAuthorizeDeniedMethodWithNoMaskAnnotation();
|
||||
|
||||
@NullDenied(role = "ADMIN")
|
||||
Mono<String> postAuthorizeDeniedWithNullDenied();
|
||||
|
||||
@PostAuthorize(value = "denyAll()", postProcessorClass = MaskAnnotationPostProcessor.class)
|
||||
@PostAuthorize("denyAll()")
|
||||
@Mask("methodmask")
|
||||
@AuthorizationDeniedHandler(postProcessorClass = MaskAnnotationPostProcessor.class)
|
||||
Mono<String> postAuthorizeDeniedMethodWithMaskAnnotation();
|
||||
|
||||
@PostAuthorize(value = "denyAll()", postProcessorClass = MaskAnnotationPostProcessor.class)
|
||||
@PostAuthorize("denyAll()")
|
||||
@AuthorizationDeniedHandler(postProcessorClass = MaskAnnotationPostProcessor.class)
|
||||
Mono<String> postAuthorizeDeniedMethodWithNoMaskAnnotation();
|
||||
|
||||
@PreAuthorize(value = "hasRole('ADMIN')", handlerClass = MaskAnnotationHandler.class)
|
||||
@PreAuthorize("hasRole('ADMIN')")
|
||||
@Mask(expression = "@myMasker.getMask()")
|
||||
@AuthorizationDeniedHandler(handlerClass = MaskAnnotationHandler.class)
|
||||
Mono<String> preAuthorizeWithMaskAnnotationUsingBean();
|
||||
|
||||
@PostAuthorize(value = "hasRole('ADMIN')", postProcessorClass = MaskAnnotationPostProcessor.class)
|
||||
@PostAuthorize("hasRole('ADMIN')")
|
||||
@Mask(expression = "@myMasker.getMask(returnObject)")
|
||||
@AuthorizationDeniedHandler(postProcessorClass = MaskAnnotationPostProcessor.class)
|
||||
Mono<String> postAuthorizeWithMaskAnnotationUsingBean();
|
||||
|
||||
@PreAuthorize(value = "@authz.checkReactiveResult(#result)", handlerClass = MethodAuthorizationDeniedHandler.class)
|
||||
@PostAuthorize(value = "@authz.checkReactiveResult(!#result)",
|
||||
@PreAuthorize("@authz.checkReactiveResult(#result)")
|
||||
@PostAuthorize("@authz.checkReactiveResult(!#result)")
|
||||
@AuthorizationDeniedHandler(handlerClass = MethodAuthorizationDeniedHandler.class,
|
||||
postProcessorClass = MethodAuthorizationDeniedPostProcessor.class)
|
||||
Mono<String> checkCustomResult(boolean result);
|
||||
|
||||
@@ -217,7 +230,8 @@ public interface ReactiveMethodSecurityService {
|
||||
@Target({ ElementType.METHOD, ElementType.TYPE })
|
||||
@Retention(RetentionPolicy.RUNTIME)
|
||||
@Inherited
|
||||
@PostAuthorize(value = "hasRole('{value}')", postProcessorClass = NullPostProcessor.class)
|
||||
@PostAuthorize("hasRole('{value}')")
|
||||
@AuthorizationDeniedHandler(postProcessorClass = NullPostProcessor.class)
|
||||
@interface NullDenied {
|
||||
|
||||
String role();
|
||||
|
||||
@@ -18,6 +18,7 @@ package org.springframework.security.config.annotation.method.configuration;
|
||||
|
||||
import org.springframework.security.access.prepost.PostAuthorize;
|
||||
import org.springframework.security.authorization.AuthorizationResult;
|
||||
import org.springframework.security.authorization.method.AuthorizationDeniedHandler;
|
||||
import org.springframework.security.authorization.method.MethodAuthorizationDeniedPostProcessor;
|
||||
import org.springframework.security.authorization.method.MethodInvocationResult;
|
||||
|
||||
@@ -36,7 +37,8 @@ public class UserRecordWithEmailProtected {
|
||||
return this.name;
|
||||
}
|
||||
|
||||
@PostAuthorize(value = "hasRole('ADMIN')", postProcessorClass = EmailMaskingPostProcessor.class)
|
||||
@PostAuthorize("hasRole('ADMIN')")
|
||||
@AuthorizationDeniedHandler(postProcessorClass = EmailMaskingPostProcessor.class)
|
||||
public String email() {
|
||||
return this.email;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user