Closed
Description
The given test:
public class HandleTests {
@Test
public void test() {
AuthorizationProxyFactory proxyFactory = AuthorizationAdvisorProxyFactory.withDefaults();
Account account = (Account) proxyFactory.proxy(new Account());
assertThat(account.getAccountNumber()).isNull();
}
public static class Account {
@PreAuthorize("denyAll")
@HandleAuthorizationDenied(handlerClass = NullMethodAuthorizationDeniedHandler.class)
public String getAccountNumber() {
return "123";
}
}
public class NullMethodAuthorizationDeniedHandler implements MethodAuthorizationDeniedHandler {
@Override
public Object handleDeniedInvocation(MethodInvocation methodInvocation, AuthorizationResult authorizationResult) {
return null;
}
}
}
fails because PreAuthorizeAuthenticiationManager -- and other related managers -- resolve handlerClass by looking it up as a @Bean. The main concern here is that it is failing silently to load the handlerClass.
It would be nice if, by default, it tried to construct the value. That behavior would be replaced if an ApplicationContext is specified.