diff --git a/docs/modules/ROOT/pages/servlet/authorization/method-security.adoc b/docs/modules/ROOT/pages/servlet/authorization/method-security.adoc index ab2297b161..83e840d326 100644 --- a/docs/modules/ROOT/pages/servlet/authorization/method-security.adoc +++ b/docs/modules/ROOT/pages/servlet/authorization/method-security.adoc @@ -1070,7 +1070,7 @@ It also has access to the full Java language. [[custom-authorization-managers]] === Using a Custom Authorization Manager -The second way to authorize a method programmatically is two create a custom xref:servlet/authorization/architecture.adoc#_the_authorizationmanager[`AuthorizationManager`]. +The second way to authorize a method programmatically is to create a custom xref:servlet/authorization/architecture.adoc#_the_authorizationmanager[`AuthorizationManager`]. First, declare an authorization manager instance, perhaps like this one: @@ -1081,10 +1081,16 @@ Java:: [source,java,role="primary"] ---- @Component -public class MyAuthorizationManager implements AuthorizationManager { +public class MyAuthorizationManager implements AuthorizationManager, AuthorizationManager { + @Override public AuthorizationDecision check(Supplier authentication, MethodInvocation invocation) { // ... authorization logic } + + @Override + public AuthorizationDecision check(Supplier authentication, MethodInvocationResult invocation) { + // ... authorization logic + } } ---- @@ -1092,9 +1098,13 @@ Kotlin:: + [source,kotlin,role="secondary"] ---- -@Component("authz") -open class MyAuthorizationManager: AuthorizationManager { - fun check(val authentication: Supplier, val invocation: MethodInvocation): AuthorizationDecision { +@Component +class MyAuthorizationManager : AuthorizationManager, AuthorizationManager { + override fun check(authentication: Supplier, invocation: MethodInvocation): AuthorizationDecision { + // ... authorization logic + } + + override fun check(authentication: Supplier, invocation: MethodInvocationResult): AuthorizationDecision { // ... authorization logic } } @@ -1104,7 +1114,7 @@ open class MyAuthorizationManager: AuthorizationManager { Then, publish the method interceptor with a pointcut that corresponds to when you want that `AuthorizationManager` to run. For example, you could replace how `@PreAuthorize` and `@PostAuthorize` work like so: -.Only @PostAuthorize Configuration +.Only @PreAuthorize and @PostAuthorize Configuration [tabs] ====== Java:: @@ -1116,7 +1126,7 @@ Java:: class MethodSecurityConfig { @Bean @Role(BeanDefinition.ROLE_INFRASTRUCTURE) - Advisor postAuthorize(MyAuthorizationManager manager) { + Advisor preAuthorize(MyAuthorizationManager manager) { return AuthorizationManagerBeforeMethodInterceptor.preAuthorize(manager); } @@ -1157,7 +1167,7 @@ Xml:: -