From add5c561360daf61b7a4978dd895b4b386c8c527 Mon Sep 17 00:00:00 2001 From: Josh Cummings Date: Fri, 30 Aug 2024 11:43:47 -0600 Subject: [PATCH] Update AuthorizeReturnObject Jackson Docs Now instructs to use MethodAuthorizationDeniedHandler Issue gh-14601 --- .../authorization/method-security.adoc | 67 ++++++------------- 1 file changed, 22 insertions(+), 45 deletions(-) diff --git a/docs/modules/ROOT/pages/servlet/authorization/method-security.adoc b/docs/modules/ROOT/pages/servlet/authorization/method-security.adoc index 99bd41adc1..883b4f8185 100644 --- a/docs/modules/ROOT/pages/servlet/authorization/method-security.adoc +++ b/docs/modules/ROOT/pages/servlet/authorization/method-security.adoc @@ -2200,10 +2200,10 @@ Java:: ---- @RestController public class UserController { - @Autowired + @Autowired AuthorizationProxyFactory proxyFactory; - @GetMapping + @GetMapping User currentUser(@AuthenticationPrincipal User user) { return this.proxyFactory.proxy(user); } @@ -2227,7 +2227,7 @@ class UserController { ---- ====== -Finally, you will need to publish a <> to catch the `AccessDeniedException` thrown for each field, which you can do like so: +You will need to <> like this one: [tabs] ====== @@ -2236,32 +2236,18 @@ Java:: [source,java,role="primary"] ---- @Component -public class AccessDeniedExceptionInterceptor implements AuthorizationAdvisor { - private final AuthorizationAdvisor advisor = AuthorizationManagerBeforeMethodInterceptor.preAuthorize(); +public class Null implements MethodAuthorizationDeniedHandler { + @Override + public Object handleDeniedInvocation(MethodInvocation methodInvocation, AuthorizationResult authorizationResult) { + return null; + } +} - @Override - public Object invoke(MethodInvocation invocation) throws Throwable { - try { - return invocation.proceed(); - } catch (AccessDeniedException ex) { - return null; - } - } +// ... - @Override - public Pointcut getPointcut() { - return this.advisor.getPointcut(); - } - - @Override - public Advice getAdvice() { - return this; - } - - @Override - public int getOrder() { - return this.advisor.getOrder() - 1; - } +@HandleAuthorizationDenied(handlerClass = Null.class) +public class User { + ... } ---- @@ -2270,26 +2256,17 @@ Kotlin:: [source,kotlin,role="secondary"] ---- @Component -class AccessDeniedExceptionInterceptor: AuthorizationAdvisor { - var advisor: AuthorizationAdvisor = AuthorizationManagerBeforeMethodInterceptor.preAuthorize() - - @Throws(Throwable::class) - fun invoke(invocation: MethodInvocation): Any? { - return try { - invocation.proceed() - } catch (ex:AccessDeniedException) { - null - } +class Null : MethodAuthorizationDeniedHandler { + override fun handleDeniedInvocation(methodInvocation: MethodInvocation?, authorizationResult: AuthorizationResult?): Any? { + return null } +} - val pointcut: Pointcut - get() = advisor.getPointcut() +// ... - val advice: Advice - get() = this - - val order: Int - get() = advisor.getOrder() - 1 +@HandleAuthorizationDenied(handlerClass = Null.class) +open class User { + ... } ---- ====== @@ -2317,7 +2294,7 @@ And if they do have that authority, they'll see: [TIP] ==== -You can also add the Spring Boot property `spring.jackson.default-property-inclusion=non_null` to exclude the null value, if you also don't want to reveal the JSON key to an unauthorized user. +You can also add the Spring Boot property `spring.jackson.default-property-inclusion=non_null` to exclude the null value from serialization, if you also don't want to reveal the JSON key to an unauthorized user. ==== [[fallback-values-authorization-denied]]