Directly including a custom error message within the @PreAuthorize

[dzulic]

Custom method for has permissions is being invoked in PreAuthorize. Method customHasPermission checks for the permission in the token and returns true/false. @PreAuthorize("@authService.customHasPermission('permission')")

Expected Behavior

Have thrown exception message if hasPermission is false with custom message with permission name Some suggestions would be having:

• Enabled message argument in the @PreAuthorize that AccessDeniedException can handle
• Or throwing a custom exception in customHasPermission

Current Behavior

• No possibility to extend AccessDeniedException with @PreAuthorization specific method params

Context

Trying to pass permission string to the AccessDeniedException so it can return custom message

[CrazyParanoid]

Hi @dzulic ! Have you tried using @HandleAuthorizationDenied? Perhaps it will solve your problem.

[dzulic]

@CrazyParanoid Hi, thanks for the reply. I haven't as I see it is in 6.3.0 and still in development, but I will check

currently I found a workaround, throwing AccessDeniedException in the customHasPermission method, which is then handled in the PreAuthorization correctly

[jzheaux]

Thanks, @dzulic for reaching out and @CrazyParanoid for sharing about the new feature.

Since this has been brought up previously in https://github.com/spring-projects/spring-security/issues/3306, I'll close this ticket and encourage continuing the conversation over there.