Skip to content

Pre/PostAuthorize should not ignore HandleAuthorizationDenied#handlerClass when ApplicationContext is not provided #15535

New issue
New issue
Closed
Closed
Pre/PostAuthorize should not ignore HandleAuthorizationDenied#handlerClass when ApplicationContext is not provided#15535
Assignees
jzheaux
Labels
in: coreAn issue in spring-security-corestatus: declinedA suggestion or change that we don't feel we should currently applytype: bugA general bug
Milestone
 
6.3.2
@jzheaux

Description

@jzheaux
jzheaux
opened on Aug 7, 2024

A test like this:

public class HandleTests {

    @Test
    public void test() {
       AuthorizationProxyFactory proxyFactory = AuthorizationAdvisorProxyFactory.withDefaults();
       Account account = (Account) proxyFactory.proxy(new Account());
       assertThat(account.getAccountNumber()).isNull();
    }

    public static class Account {
       @PreAuthorize("denyAll")
       @HandleAuthorizationDenied(handlerClass = NullMethodAuthorizationDeniedHandler.class)
       public String getAccountNumber() {
          return "123";
       }
    }

    public class NullMethodAuthorizationDeniedHandler implements MethodAuthorizationDeniedHandler {
       @Override
       public Object handleDeniedInvocation(MethodInvocation methodInvocation, AuthorizationResult authorizationResult) {
          return null;
       }
    }
}

Will fall back to throwing an exception since there is no application context provided to PostAuthorizeAuthorizationManager.

Instead, it should at least error so the application doesn't get the impression that their handler class is being used.

Metadata

Metadata

Assignees

Labels

in: coreAn issue in spring-security-corestatus: declinedA suggestion or change that we don't feel we should currently applytype: bugA general bug

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions