marcusdacoregio
commented
1 month ago After talking with the team about this feature we are not sure that there should be an expression attribute in the annotation, doing two different things (expression and handlerClass) may be confusing.
Instead, @HandleAuthorizationDenied annotation should stay as it is and we should consider introducing new annotations for the most common fallback return values, like null or a masked String value. Meta-annotations can be used to achieve that goal, for example:
@Target({ ElementType.METHOD, ElementType.TYPE })
@Retention(RetentionPolicy.RUNTIME)
@Inherited
@Documented
@HandleAuthorizationDenied(handlerClass = NullMethodAuthorizationDeniedHandler.class);
public @interface NullWhenAuthorizationDenied { }
@Target({ ElementType.METHOD, ElementType.TYPE })
@Retention(RetentionPolicy.RUNTIME)
@Inherited
@Documented
@HandleAuthorizationDenied(handlerClass = StringMethodAuthorizationDeniedHandler.class);
public @interface StringWhenAuthorizationDenied {
String value();
}NullMethodAuthorizationDeniedHandler and StringMethodAuthorizationDeniedHandler would be provided by the framework, then, when resolving the handlerClass, there is no need to look for it in the ApplicationContext.
I believe that we should gather more feedback from the community before introducing those new annotations since they can be easily achieved in the current state.
We should consider supporting expressions in method authorization handlers for simple setups. Currently, if you want to handle authorization denied and map the return value to
null, you must create aMethodAuthorizationDeniedHandler/PostProcessorclass and expose it as a bean:That is a little bit too complicated to just return null. A simpler setup could be:
Related:
14601
14712