Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-14 08:02:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update AuthorizeReturnObject Jackson Docs

Browse Source 
Now instructs to use MethodAuthorizationDeniedHandler

Issue gh-14601
This commit is contained in:
Josh Cummings 2024-08-30 11:43:47 -06:00
parent fd05c5ad76
commit add5c56136
No known key found for this signature in database
GPG Key ID: A306A51F43B8E5A5
1 changed files with 22 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
docs/modules/ROOT/pages/servlet/authorization/method-security.adoc
View File

@ -2200,10 +2200,10 @@ Java::
---- ----
@RestController @RestController
public class UserController { public class UserController {
@Autowired @Autowired
AuthorizationProxyFactory proxyFactory; AuthorizationProxyFactory proxyFactory;
@GetMapping @GetMapping
User currentUser(@AuthenticationPrincipal User user) { User currentUser(@AuthenticationPrincipal User user) {
return this.proxyFactory.proxy(user); return this.proxyFactory.proxy(user);
} }
@ -2227,7 +2227,7 @@ class UserController {
---- ----
====== ======
Finally, you will need to publish a <<custom_advice, custom interceptor>> to catch the `AccessDeniedException` thrown for each field, which you can do like so: You will need to <<fallback-values-authorization-denied,add a `MethodAuthorizationDeniedHandler`>> like this one:
[tabs] [tabs]
====== ======
@ -2236,32 +2236,18 @@ Java::
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@Component @Component
public class AccessDeniedExceptionInterceptor implements AuthorizationAdvisor { public class Null implements MethodAuthorizationDeniedHandler {
private final AuthorizationAdvisor advisor = AuthorizationManagerBeforeMethodInterceptor.preAuthorize(); @Override
public Object handleDeniedInvocation(MethodInvocation methodInvocation, AuthorizationResult authorizationResult) {
return null;
}
}
@Override // ...
public Object invoke(MethodInvocation invocation) throws Throwable {
try {
return invocation.proceed();
} catch (AccessDeniedException ex) {
return null;
}
}
@Override @HandleAuthorizationDenied(handlerClass = Null.class)
public Pointcut getPointcut() { public class User {
return this.advisor.getPointcut(); ...
}
@Override
public Advice getAdvice() {
return this;
}
@Override
public int getOrder() {
return this.advisor.getOrder() - 1;
}
} }
---- ----
@ -2270,26 +2256,17 @@ Kotlin::
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@Component @Component
class AccessDeniedExceptionInterceptor: AuthorizationAdvisor { class Null : MethodAuthorizationDeniedHandler {
var advisor: AuthorizationAdvisor = AuthorizationManagerBeforeMethodInterceptor.preAuthorize() override fun handleDeniedInvocation(methodInvocation: MethodInvocation?, authorizationResult: AuthorizationResult?): Any? {
return null
@Throws(Throwable::class)
fun invoke(invocation: MethodInvocation): Any? {
return try {
invocation.proceed()
} catch (ex:AccessDeniedException) {
null
}
} }
}
val pointcut: Pointcut // ...
get() = advisor.getPointcut()
val advice: Advice @HandleAuthorizationDenied(handlerClass = Null.class)
get() = this open class User {
...
val order: Int
get() = advisor.getOrder() - 1
} }
---- ----
====== ======
@ -2317,7 +2294,7 @@ And if they do have that authority, they'll see:
[TIP] [TIP]
==== ====
You can also add the Spring Boot property `spring.jackson.default-property-inclusion=non_null` to exclude the null value, if you also don't want to reveal the JSON key to an unauthorized user. You can also add the Spring Boot property `spring.jackson.default-property-inclusion=non_null` to exclude the null value from serialization, if you also don't want to reveal the JSON key to an unauthorized user.
==== ====
[[fallback-values-authorization-denied]] [[fallback-values-authorization-denied]]