Add AuthorizationResult support for AuthorizationManager

Closes gh-14843

config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -32,8 +32,8 @@ import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.authentication.AnonymousAuthenticationToken;
 import org.springframework.security.authentication.TestingAuthenticationToken;
-import org.springframework.security.authorization.AuthorizationDecision;
 import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.authorization.AuthorizationResult;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.web.DefaultSecurityFilterChain;
 import org.springframework.security.web.FilterChainProxy;
@@ -221,7 +221,8 @@ public class DefaultFilterChainValidator implements FilterChainProxy.FilterChain
 			AuthorizationManager<HttpServletRequest> authorizationManager = authorizationFilter
 				.getAuthorizationManager();
 			try {
-				AuthorizationDecision decision = authorizationManager.check(() -> TEST, loginRequest.getHttpRequest());
+				AuthorizationResult decision = authorizationManager.authorize(() -> TEST,
+						loginRequest.getHttpRequest());
 				return decision != null && decision.isGranted();
 			}
 			catch (Exception ex) {
@@ -252,7 +253,8 @@ public class DefaultFilterChainValidator implements FilterChainProxy.FilterChain
 			return () -> {
 				AuthorizationManager<HttpServletRequest> authorizationManager = authorizationFilter
 					.getAuthorizationManager();
-				AuthorizationDecision decision = authorizationManager.check(() -> token, loginRequest.getHttpRequest());
+				AuthorizationResult decision = authorizationManager.authorize(() -> token,
+						loginRequest.getHttpRequest());
 				return decision != null && decision.isGranted();
 			};
 		}

config/src/test/java/org/springframework/security/config/http/DefaultFilterChainValidatorTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -113,6 +113,7 @@ public class DefaultFilterChainValidatorTests {
 	@Test
 	public void validateCheckLoginPageAllowsAnonymous() {
 		given(this.authorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(false));
+		given(this.authorizationManager.authorize(any(), any())).willCallRealMethod();
 		this.validator.validate(this.chainAuthorizationFilter);
 		verify(this.logger).warn("Anonymous access to the login page doesn't appear to be enabled. "
 				+ "This is almost certainly an error. Please check your configuration allows unauthenticated "

config/src/test/java/org/springframework/security/config/http/HttpConfigTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -91,6 +91,7 @@ public class HttpConfigTests {
 		AuthorizationManager<HttpServletRequest> authorizationManager = this.spring.getContext()
 			.getBean(AuthorizationManager.class);
 		given(authorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(false));
+		given(authorizationManager.authorize(any(), any())).willCallRealMethod();
 		// @formatter:off
 		this.mvc.perform(get("/"))
 				.andExpect(status().isFound())

config/src/test/java/org/springframework/security/config/websocket/WebSocketMessageBrokerConfigTests.java

@@ -514,6 +514,7 @@ public class WebSocketMessageBrokerConfigTests {
 		AuthorizationManager<Message<?>> authorizationManager = this.spring.getContext()
 			.getBean(AuthorizationManager.class);
 		given(authorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(false));
+		given(authorizationManager.authorize(any(), any())).willCallRealMethod();
 		Message<?> message = message("/any");
 		assertThatExceptionOfType(Exception.class).isThrownBy(send(message))
 			.withCauseInstanceOf(AccessDeniedException.class);

core/src/main/java/org/springframework/security/authorization/AuthorizationManager.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2020 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -50,8 +50,23 @@ public interface AuthorizationManager<T> {
 	 * @param authentication the {@link Supplier} of the {@link Authentication} to check
 	 * @param object the {@link T} object to check
 	 * @return an {@link AuthorizationDecision} or null if no decision could be made
+	 * @deprecated please use {@link #authorize(Supplier, Object)} instead
 	 */
 	@Nullable
+	@Deprecated
 	AuthorizationDecision check(Supplier<Authentication> authentication, T object);
 
+	/**
+	 * Determines if access is granted for a specific authentication and object.
+	 * @param authentication the {@link Supplier} of the {@link Authentication} to
+	 * authorize
+	 * @param object the {@link T} object to authorize
+	 * @return an {@link AuthorizationResult}
+	 * @since 6.4
+	 */
+	@Nullable
+	default AuthorizationResult authorize(Supplier<Authentication> authentication, T object) {
+		return check(authentication, object);
+	}
+
 }

core/src/main/java/org/springframework/security/authorization/AuthorizationObservationContext.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -35,6 +35,8 @@ public class AuthorizationObservationContext<T> extends Observation.Context {
 
 	private AuthorizationDecision decision;
 
+	private AuthorizationResult authorizationResult;
+
 	public AuthorizationObservationContext(T object) {
 		Assert.notNull(object, "object cannot be null");
 		this.object = object;
@@ -71,17 +73,43 @@ public class AuthorizationObservationContext<T> extends Observation.Context {
 	/**
 	 * Get the observed {@link AuthorizationDecision}
 	 * @return the observed {@link AuthorizationDecision}
+	 * @deprecated please use {@link #getAuthorizationResult()} instead
 	 */
+	@Deprecated
 	public AuthorizationDecision getDecision() {
-		return this.decision;
+		Assert.isInstanceOf(AuthorizationDecision.class, this.authorizationResult,
+				"Please call getAuthorizationResult instead. If you must call getDecision, please ensure that the result you provide is of type AuthorizationDecision");
+		return (AuthorizationDecision) this.authorizationResult;
 	}
 
 	/**
 	 * Set the observed {@link AuthorizationDecision}
 	 * @param decision the observed {@link AuthorizationDecision}
+	 * @deprecated please use {@link #setAuthorizationResult(AuthorizationResult)} instead
 	 */
+	@Deprecated
 	public void setDecision(AuthorizationDecision decision) {
+		Assert.isInstanceOf(AuthorizationDecision.class, decision,
+				"Please call setAuthorizationResult instead. If you must call getDecision, please ensure that the result you provide is of type AuthorizationDecision");
 		this.decision = decision;
 	}
 
+	/**
+	 * Get the observed {@link AuthorizationResult}
+	 * @return the observed {@link AuthorizationResult}
+	 * @since 6.4
+	 */
+	public AuthorizationResult getAuthorizationResult() {
+		return this.authorizationResult;
+	}
+
+	/**
+	 * Set the observed {@link AuthorizationResult}
+	 * @param authorizationResult the observed {@link AuthorizationResult}
+	 * @since 6.4
+	 */
+	public void setAuthorizationResult(AuthorizationResult authorizationResult) {
+		this.authorizationResult = authorizationResult;
+	}
+
 }

core/src/main/java/org/springframework/security/authorization/AuthorizationObservationConvention.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -100,10 +100,10 @@ public final class AuthorizationObservationConvention
 	}
 
 	private String getAuthorizationDecision(AuthorizationObservationContext<?> context) {
-		if (context.getDecision() == null) {
+		if (context.getAuthorizationResult() == null) {
 			return "unknown";
 		}
-		return String.valueOf(context.getDecision().isGranted());
+		return String.valueOf(context.getAuthorizationResult().isGranted());
 	}
 
 	private String getAuthorities(AuthorizationObservationContext<?> context) {
@@ -114,10 +114,10 @@ public final class AuthorizationObservationConvention
 	}
 
 	private String getDecisionDetails(AuthorizationObservationContext<?> context) {
-		if (context.getDecision() == null) {
+		if (context.getAuthorizationResult() == null) {
 			return "unknown";
 		}
-		AuthorizationDecision decision = context.getDecision();
+		AuthorizationResult decision = context.getAuthorizationResult();
 		return String.valueOf(decision);
 	}
 

core/src/main/java/org/springframework/security/authorization/ObservationAuthorizationManager.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2023 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -71,7 +71,7 @@ public final class ObservationAuthorizationManager<T>
 		Observation observation = Observation.createNotStarted(this.convention, () -> context, this.registry).start();
 		try (Observation.Scope scope = observation.openScope()) {
 			AuthorizationDecision decision = this.delegate.check(wrapped, object);
-			context.setDecision(decision);
+			context.setAuthorizationResult(decision);
 			if (decision != null && !decision.isGranted()) {
 				observation.error(new AccessDeniedException(
 						this.messages.getMessage("AbstractAccessDecisionManager.accessDenied", "Access Denied")));

core/src/main/java/org/springframework/security/authorization/ObservationReactiveAuthorizationManager.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2023 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -68,7 +68,7 @@ public final class ObservationReactiveAuthorizationManager<T>
 				.parentObservation(contextView.getOrDefault(ObservationThreadLocalAccessor.KEY, null))
 				.start();
 			return this.delegate.check(wrapped, object).doOnSuccess((decision) -> {
-				context.setDecision(decision);
+				context.setAuthorizationResult(decision);
 				if (decision == null || !decision.isGranted()) {
 					observation.error(new AccessDeniedException("Access Denied"));
 				}

core/src/main/java/org/springframework/security/authorization/ReactiveAuthorizationManager.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -36,7 +36,9 @@ public interface ReactiveAuthorizationManager<T> {
 	 * @param authentication the Authentication to check
 	 * @param object the object to check
 	 * @return an decision or empty Mono if no decision could be made.
+	 * @deprecated please use {@link #authorize(Mono, Object)} instead
 	 */
+	@Deprecated
 	Mono<AuthorizationDecision> check(Mono<Authentication> authentication, T object);
 
 	/**
@@ -55,4 +57,15 @@ public interface ReactiveAuthorizationManager<T> {
 		// @formatter:on
 	}
 
+	/**
+	 * Determines if access is granted for a specific authentication and object.
+	 * @param authentication the Authentication to authorize
+	 * @param object the object to check
+	 * @return an decision or empty Mono if no decision could be made.
+	 * @since 6.4
+	 */
+	default Mono<AuthorizationResult> authorize(Mono<Authentication> authentication, T object) {
+		return check(authentication, object).cast(AuthorizationResult.class);
+	}
+
 }

core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerAfterMethodInterceptor.java

@@ -29,10 +29,10 @@ import org.springframework.core.log.LogMessage;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.prepost.PostAuthorize;
 import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
-import org.springframework.security.authorization.AuthorizationDecision;
 import org.springframework.security.authorization.AuthorizationDeniedException;
 import org.springframework.security.authorization.AuthorizationEventPublisher;
 import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.authorization.AuthorizationResult;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.context.SecurityContextHolderStrategy;
@@ -182,7 +182,7 @@ public final class AuthorizationManagerAfterMethodInterceptor implements Authori
 	private Object attemptAuthorization(MethodInvocation mi, Object result) {
 		this.logger.debug(LogMessage.of(() -> "Authorizing method invocation " + mi));
 		MethodInvocationResult object = new MethodInvocationResult(mi, result);
-		AuthorizationDecision decision = this.authorizationManager.check(this::getAuthentication, object);
+		AuthorizationResult decision = this.authorizationManager.authorize(this::getAuthentication, object);
 		this.eventPublisher.publishAuthorizationEvent(this::getAuthentication, object, decision);
 		if (decision != null && !decision.isGranted()) {
 			this.logger.debug(LogMessage.of(() -> "Failed to authorize " + mi + " with authorization manager "
@@ -193,7 +193,7 @@ public final class AuthorizationManagerAfterMethodInterceptor implements Authori
 		return result;
 	}
 
-	private Object handlePostInvocationDenied(MethodInvocationResult mi, AuthorizationDecision decision) {
+	private Object handlePostInvocationDenied(MethodInvocationResult mi, AuthorizationResult decision) {
 		if (this.authorizationManager instanceof MethodAuthorizationDeniedHandler deniedHandler) {
 			return deniedHandler.handleDeniedInvocationResult(mi, decision);
 		}

core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerAfterReactiveMethodInterceptor.java

@@ -164,7 +164,7 @@ public final class AuthorizationManagerAfterReactiveMethodInterceptor implements
 
 	private Mono<Object> postAuthorize(Mono<Authentication> authentication, MethodInvocation mi, Object result) {
 		MethodInvocationResult invocationResult = new MethodInvocationResult(mi, result);
-		return this.authorizationManager.check(authentication, invocationResult)
+		return this.authorizationManager.authorize(authentication, invocationResult)
 			.switchIfEmpty(Mono.just(new AuthorizationDecision(false)))
 			.flatMap((decision) -> postProcess(decision, invocationResult));
 	}

core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeMethodInterceptor.java

@@ -33,7 +33,6 @@ import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.annotation.Secured;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
-import org.springframework.security.authorization.AuthorizationDecision;
 import org.springframework.security.authorization.AuthorizationDeniedException;
 import org.springframework.security.authorization.AuthorizationEventPublisher;
 import org.springframework.security.authorization.AuthorizationManager;
@@ -247,9 +246,9 @@ public final class AuthorizationManagerBeforeMethodInterceptor implements Author
 
 	private Object attemptAuthorization(MethodInvocation mi) throws Throwable {
 		this.logger.debug(LogMessage.of(() -> "Authorizing method invocation " + mi));
-		AuthorizationDecision decision;
+		AuthorizationResult decision;
 		try {
-			decision = this.authorizationManager.check(this::getAuthentication, mi);
+			decision = this.authorizationManager.authorize(this::getAuthentication, mi);
 		}
 		catch (AuthorizationDeniedException denied) {
 			return handle(mi, denied);

core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeReactiveMethodInterceptor.java

@@ -140,7 +140,7 @@ public final class AuthorizationManagerBeforeReactiveMethodInterceptor implement
 
 	private Flux<Object> preAuthorized(MethodInvocation mi, Flux<Object> mapping) {
 		Mono<Authentication> authentication = ReactiveAuthenticationUtils.getAuthentication();
-		return this.authorizationManager.check(authentication, mi)
+		return this.authorizationManager.authorize(authentication, mi)
 			.switchIfEmpty(Mono.just(new AuthorizationDecision(false)))
 			.flatMapMany((decision) -> {
 				if (decision.isGranted()) {
@@ -153,7 +153,7 @@ public final class AuthorizationManagerBeforeReactiveMethodInterceptor implement
 
 	private Mono<Object> preAuthorized(MethodInvocation mi, Mono<Object> mapping) {
 		Mono<Authentication> authentication = ReactiveAuthenticationUtils.getAuthentication();
-		return this.authorizationManager.check(authentication, mi)
+		return this.authorizationManager.authorize(authentication, mi)
 			.switchIfEmpty(Mono.just(new AuthorizationDecision(false)))
 			.flatMap((decision) -> {
 				if (decision.isGranted()) {

core/src/main/java/org/springframework/security/authorization/method/NoOpAuthorizationEventPublisher.java

@@ -39,6 +39,7 @@ final class NoOpAuthorizationEventPublisher implements AuthorizationEventPublish
 	@Override
 	public <T> void publishAuthorizationEvent(Supplier<Authentication> authentication, T object,
 			AuthorizationResult result) {
+
 	}
 
 }

core/src/test/java/org/springframework/security/authorization/method/AuthorizationManagerAfterMethodInterceptorTests.java

@@ -74,6 +74,7 @@ public class AuthorizationManagerAfterMethodInterceptorTests {
 		MethodInvocationResult result = new MethodInvocationResult(mockMethodInvocation, new Object());
 		given(mockMethodInvocation.proceed()).willReturn(result.getResult());
 		AuthorizationManager<MethodInvocationResult> mockAuthorizationManager = mock(AuthorizationManager.class);
+		given(mockAuthorizationManager.authorize(any(), any())).willCallRealMethod();
 		AuthorizationManagerAfterMethodInterceptor advice = new AuthorizationManagerAfterMethodInterceptor(
 				Pointcut.TRUE, mockAuthorizationManager);
 		Object returnedObject = advice.invoke(mockMethodInvocation);
@@ -152,6 +153,7 @@ public class AuthorizationManagerAfterMethodInterceptorTests {
 		AuthorizationManager<MethodInvocationResult> manager = mock(AuthorizationManager.class);
 		given(manager.check(any(), any()))
 			.willThrow(new MyAuthzDeniedException("denied", new AuthorizationDecision(false)));
+		given(manager.authorize(any(), any())).willCallRealMethod();
 		AuthorizationManagerAfterMethodInterceptor advice = new AuthorizationManagerAfterMethodInterceptor(
 				Pointcut.TRUE, manager);
 		assertThatExceptionOfType(MyAuthzDeniedException.class).isThrownBy(() -> advice.invoke(mi));

core/src/test/java/org/springframework/security/authorization/method/AuthorizationManagerAfterReactiveMethodInterceptorTests.java

@@ -72,6 +72,7 @@ public class AuthorizationManagerAfterReactiveMethodInterceptorTests {
 				ReactiveAuthorizationManager.class);
 		given(mockReactiveAuthorizationManager.check(any(), any()))
 			.willReturn(Mono.just(new AuthorizationDecision(true)));
+		given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod();
 		AuthorizationManagerAfterReactiveMethodInterceptor interceptor = new AuthorizationManagerAfterReactiveMethodInterceptor(
 				Pointcut.TRUE, mockReactiveAuthorizationManager);
 		Object result = interceptor.invoke(mockMethodInvocation);
@@ -90,6 +91,7 @@ public class AuthorizationManagerAfterReactiveMethodInterceptorTests {
 				ReactiveAuthorizationManager.class);
 		given(mockReactiveAuthorizationManager.check(any(), any()))
 			.willReturn(Mono.just(new AuthorizationDecision(true)));
+		given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod();
 		AuthorizationManagerAfterReactiveMethodInterceptor interceptor = new AuthorizationManagerAfterReactiveMethodInterceptor(
 				Pointcut.TRUE, mockReactiveAuthorizationManager);
 		Object result = interceptor.invoke(mockMethodInvocation);
@@ -109,6 +111,7 @@ public class AuthorizationManagerAfterReactiveMethodInterceptorTests {
 				ReactiveAuthorizationManager.class);
 		given(mockReactiveAuthorizationManager.check(any(), any()))
 			.willReturn(Mono.just(new AuthorizationDecision(false)));
+		given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod();
 		AuthorizationManagerAfterReactiveMethodInterceptor interceptor = new AuthorizationManagerAfterReactiveMethodInterceptor(
 				Pointcut.TRUE, mockReactiveAuthorizationManager);
 		Object result = interceptor.invoke(mockMethodInvocation);
@@ -130,6 +133,7 @@ public class AuthorizationManagerAfterReactiveMethodInterceptorTests {
 		given(mockReactiveAuthorizationManager.handleDeniedInvocationResult(any(), any(AuthorizationResult.class)))
 			.willAnswer(this::masking);
 		given(mockReactiveAuthorizationManager.check(any(), any())).willReturn(Mono.empty());
+		given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod();
 		AuthorizationManagerAfterReactiveMethodInterceptor interceptor = new AuthorizationManagerAfterReactiveMethodInterceptor(
 				Pointcut.TRUE, mockReactiveAuthorizationManager);
 		Object result = interceptor.invoke(mockMethodInvocation);
@@ -156,6 +160,7 @@ public class AuthorizationManagerAfterReactiveMethodInterceptorTests {
 				return Mono.just(argument.getResult());
 			});
 		given(mockReactiveAuthorizationManager.check(any(), any())).willReturn(Mono.empty());
+		given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod();
 		AuthorizationManagerAfterReactiveMethodInterceptor interceptor = new AuthorizationManagerAfterReactiveMethodInterceptor(
 				Pointcut.TRUE, mockReactiveAuthorizationManager);
 		Object result = interceptor.invoke(mockMethodInvocation);
@@ -176,6 +181,7 @@ public class AuthorizationManagerAfterReactiveMethodInterceptorTests {
 		given(mockReactiveAuthorizationManager.handleDeniedInvocationResult(any(), any(AuthorizationResult.class)))
 			.willAnswer(this::masking);
 		given(mockReactiveAuthorizationManager.check(any(), any())).willReturn(Mono.empty());
+		given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod();
 		AuthorizationManagerAfterReactiveMethodInterceptor interceptor = new AuthorizationManagerAfterReactiveMethodInterceptor(
 				Pointcut.TRUE, mockReactiveAuthorizationManager);
 		Object result = interceptor.invoke(mockMethodInvocation);
@@ -195,6 +201,7 @@ public class AuthorizationManagerAfterReactiveMethodInterceptorTests {
 		given(mockReactiveAuthorizationManager.handleDeniedInvocationResult(any(), any(AuthorizationResult.class)))
 			.willAnswer(this::monoMasking);
 		given(mockReactiveAuthorizationManager.check(any(), any())).willReturn(Mono.empty());
+		given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod();
 		AuthorizationManagerAfterReactiveMethodInterceptor interceptor = new AuthorizationManagerAfterReactiveMethodInterceptor(
 				Pointcut.TRUE, mockReactiveAuthorizationManager);
 		Object result = interceptor.invoke(mockMethodInvocation);
@@ -214,6 +221,7 @@ public class AuthorizationManagerAfterReactiveMethodInterceptorTests {
 		given(mockReactiveAuthorizationManager.handleDeniedInvocationResult(any(), any(AuthorizationResult.class)))
 			.willReturn(null);
 		given(mockReactiveAuthorizationManager.check(any(), any())).willReturn(Mono.empty());
+		given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod();
 		AuthorizationManagerAfterReactiveMethodInterceptor interceptor = new AuthorizationManagerAfterReactiveMethodInterceptor(
 				Pointcut.TRUE, mockReactiveAuthorizationManager);
 		Object result = interceptor.invoke(mockMethodInvocation);
@@ -231,6 +239,7 @@ public class AuthorizationManagerAfterReactiveMethodInterceptorTests {
 		ReactiveAuthorizationManager<MethodInvocationResult> mockReactiveAuthorizationManager = mock(
 				ReactiveAuthorizationManager.class);
 		given(mockReactiveAuthorizationManager.check(any(), any())).willReturn(Mono.empty());
+		given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod();
 		AuthorizationManagerAfterReactiveMethodInterceptor interceptor = new AuthorizationManagerAfterReactiveMethodInterceptor(
 				Pointcut.TRUE, mockReactiveAuthorizationManager);
 		Object result = interceptor.invoke(mockMethodInvocation);
@@ -249,6 +258,7 @@ public class AuthorizationManagerAfterReactiveMethodInterceptorTests {
 		ReactiveAuthorizationManager<MethodInvocationResult> manager = mock(ReactiveAuthorizationManager.class);
 		given(manager.check(any(), any()))
 			.willReturn(Mono.error(new MyAuthzDeniedException("denied", new AuthorizationDecision(false))));
+		given(manager.authorize(any(), any())).willCallRealMethod();
 		AuthorizationManagerAfterReactiveMethodInterceptor advice = new AuthorizationManagerAfterReactiveMethodInterceptor(
 				Pointcut.TRUE, manager);
 		assertThatExceptionOfType(MyAuthzDeniedException.class)

core/src/test/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeMethodInterceptorTests.java

@@ -70,6 +70,7 @@ public class AuthorizationManagerBeforeMethodInterceptorTests {
 	public void beforeWhenMockAuthorizationManagerThenCheck() throws Throwable {
 		MethodInvocation mockMethodInvocation = mock(MethodInvocation.class);
 		AuthorizationManager<MethodInvocation> mockAuthorizationManager = mock(AuthorizationManager.class);
+		given(mockAuthorizationManager.authorize(any(), any())).willCallRealMethod();
 		AuthorizationManagerBeforeMethodInterceptor advice = new AuthorizationManagerBeforeMethodInterceptor(
 				Pointcut.TRUE, mockAuthorizationManager);
 		advice.invoke(mockMethodInvocation);
@@ -143,6 +144,7 @@ public class AuthorizationManagerBeforeMethodInterceptorTests {
 		AuthorizationManager<MethodInvocation> manager = mock(AuthorizationManager.class);
 		given(manager.check(any(), any()))
 			.willThrow(new MyAuthzDeniedException("denied", new AuthorizationDecision(false)));
+		given(manager.authorize(any(), any())).willCallRealMethod();
 		AuthorizationManagerBeforeMethodInterceptor advice = new AuthorizationManagerBeforeMethodInterceptor(
 				Pointcut.TRUE, manager);
 		assertThatExceptionOfType(MyAuthzDeniedException.class).isThrownBy(() -> advice.invoke(null));

core/src/test/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeReactiveMethodInterceptorTests.java

@@ -72,6 +72,7 @@ public class AuthorizationManagerBeforeReactiveMethodInterceptorTests {
 				ReactiveAuthorizationManager.class);
 		given(mockReactiveAuthorizationManager.check(any(), eq(mockMethodInvocation)))
 			.willReturn(Mono.just(new AuthorizationDecision(true)));
+		given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod();
 		AuthorizationManagerBeforeReactiveMethodInterceptor interceptor = new AuthorizationManagerBeforeReactiveMethodInterceptor(
 				Pointcut.TRUE, mockReactiveAuthorizationManager);
 		Object result = interceptor.invoke(mockMethodInvocation);
@@ -90,6 +91,7 @@ public class AuthorizationManagerBeforeReactiveMethodInterceptorTests {
 				ReactiveAuthorizationManager.class);
 		given(mockReactiveAuthorizationManager.check(any(), eq(mockMethodInvocation)))
 			.willReturn(Mono.just(new AuthorizationDecision((true))));
+		given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod();
 		AuthorizationManagerBeforeReactiveMethodInterceptor interceptor = new AuthorizationManagerBeforeReactiveMethodInterceptor(
 				Pointcut.TRUE, mockReactiveAuthorizationManager);
 		Object result = interceptor.invoke(mockMethodInvocation);
@@ -109,6 +111,7 @@ public class AuthorizationManagerBeforeReactiveMethodInterceptorTests {
 				ReactiveAuthorizationManager.class);
 		given(mockReactiveAuthorizationManager.check(any(), eq(mockMethodInvocation)))
 			.willReturn(Mono.just(new AuthorizationDecision(false)));
+		given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod();
 		AuthorizationManagerBeforeReactiveMethodInterceptor interceptor = new AuthorizationManagerBeforeReactiveMethodInterceptor(
 				Pointcut.TRUE, mockReactiveAuthorizationManager);
 		Object result = interceptor.invoke(mockMethodInvocation);
@@ -127,6 +130,7 @@ public class AuthorizationManagerBeforeReactiveMethodInterceptorTests {
 		HandlingReactiveAuthorizationManager mockReactiveAuthorizationManager = mock(
 				HandlingReactiveAuthorizationManager.class);
 		given(mockReactiveAuthorizationManager.check(any(), eq(mockMethodInvocation))).willReturn(Mono.empty());
+		given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod();
 		given(mockReactiveAuthorizationManager.handleDeniedInvocation(any(), any(AuthorizationResult.class)))
 			.willReturn("***");
 		AuthorizationManagerBeforeReactiveMethodInterceptor interceptor = new AuthorizationManagerBeforeReactiveMethodInterceptor(
@@ -146,6 +150,7 @@ public class AuthorizationManagerBeforeReactiveMethodInterceptorTests {
 		HandlingReactiveAuthorizationManager mockReactiveAuthorizationManager = mock(
 				HandlingReactiveAuthorizationManager.class);
 		given(mockReactiveAuthorizationManager.check(any(), eq(mockMethodInvocation))).willReturn(Mono.empty());
+		given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod();
 		given(mockReactiveAuthorizationManager.handleDeniedInvocation(any(), any(AuthorizationResult.class)))
 			.willReturn(Mono.just("***"));
 		AuthorizationManagerBeforeReactiveMethodInterceptor interceptor = new AuthorizationManagerBeforeReactiveMethodInterceptor(
@@ -165,6 +170,7 @@ public class AuthorizationManagerBeforeReactiveMethodInterceptorTests {
 		HandlingReactiveAuthorizationManager mockReactiveAuthorizationManager = mock(
 				HandlingReactiveAuthorizationManager.class);
 		given(mockReactiveAuthorizationManager.check(any(), eq(mockMethodInvocation))).willReturn(Mono.empty());
+		given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod();
 		given(mockReactiveAuthorizationManager.handleDeniedInvocation(any(), any(AuthorizationResult.class)))
 			.willReturn(Mono.just("***"));
 		AuthorizationManagerBeforeReactiveMethodInterceptor interceptor = new AuthorizationManagerBeforeReactiveMethodInterceptor(
@@ -185,6 +191,7 @@ public class AuthorizationManagerBeforeReactiveMethodInterceptorTests {
 		ReactiveAuthorizationManager<MethodInvocation> mockReactiveAuthorizationManager = mock(
 				ReactiveAuthorizationManager.class);
 		given(mockReactiveAuthorizationManager.check(any(), eq(mockMethodInvocation))).willReturn(Mono.empty());
+		given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod();
 		AuthorizationManagerBeforeReactiveMethodInterceptor interceptor = new AuthorizationManagerBeforeReactiveMethodInterceptor(
 				Pointcut.TRUE, mockReactiveAuthorizationManager);
 		Object result = interceptor.invoke(mockMethodInvocation);
@@ -203,6 +210,7 @@ public class AuthorizationManagerBeforeReactiveMethodInterceptorTests {
 		ReactiveAuthorizationManager<MethodInvocation> mockReactiveAuthorizationManager = mock(
 				ReactiveAuthorizationManager.class);
 		given(mockReactiveAuthorizationManager.check(any(), eq(mockMethodInvocation))).willReturn(Mono.empty());
+		given(mockReactiveAuthorizationManager.authorize(any(), any())).willCallRealMethod();
 		AuthorizationManagerBeforeReactiveMethodInterceptor interceptor = new AuthorizationManagerBeforeReactiveMethodInterceptor(
 				Pointcut.TRUE, mockReactiveAuthorizationManager);
 		Object result = interceptor.invoke(mockMethodInvocation);
@@ -220,6 +228,7 @@ public class AuthorizationManagerBeforeReactiveMethodInterceptorTests {
 		ReactiveAuthorizationManager<MethodInvocation> manager = mock(ReactiveAuthorizationManager.class);
 		given(manager.check(any(), any()))
 			.willThrow(new MyAuthzDeniedException("denied", new AuthorizationDecision(false)));
+		given(manager.authorize(any(), any())).willCallRealMethod();
 		AuthorizationManagerBeforeReactiveMethodInterceptor advice = new AuthorizationManagerBeforeReactiveMethodInterceptor(
 				Pointcut.TRUE, manager);
 		assertThatExceptionOfType(MyAuthzDeniedException.class)

messaging/src/main/java/org/springframework/security/messaging/access/intercept/AuthorizationChannelInterceptor.java

@@ -67,7 +67,7 @@ public final class AuthorizationChannelInterceptor implements ChannelInterceptor
 	@Override
 	public Message<?> preSend(Message<?> message, MessageChannel channel) {
 		this.logger.debug(LogMessage.of(() -> "Authorizing message send"));
-		AuthorizationDecision decision = this.preSendAuthorizationManager.check(this.authentication, message);
+		AuthorizationResult decision = this.preSendAuthorizationManager.authorize(this.authentication, message);
 		this.eventPublisher.publishAuthorizationEvent(this.authentication, message, decision);
 		if (decision == null || !decision.isGranted()) { // default deny
 			this.logger.debug(LogMessage.of(() -> "Failed to authorize message with authorization manager "

messaging/src/test/java/org/springframework/security/messaging/access/intercept/AuthorizationChannelInterceptorTests.java

@@ -84,12 +84,14 @@ public class AuthorizationChannelInterceptorTests {
 	@Test
 	public void preSendWhenAllowThenSameMessage() {
 		given(this.authorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(true));
+		given(this.authorizationManager.authorize(any(), any())).willCallRealMethod();
 		assertThat(this.interceptor.preSend(this.message, this.channel)).isSameAs(this.message);
 	}
 
 	@Test
 	public void preSendWhenDenyThenException() {
 		given(this.authorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(false));
+		given(this.authorizationManager.authorize(any(), any())).willCallRealMethod();
 		assertThatExceptionOfType(AccessDeniedException.class)
 			.isThrownBy(() -> this.interceptor.preSend(this.message, this.channel));
 	}
@@ -104,6 +106,7 @@ public class AuthorizationChannelInterceptorTests {
 	public void preSendWhenAuthorizationEventPublisherThenPublishes() {
 		this.interceptor.setAuthorizationEventPublisher(this.eventPublisher);
 		given(this.authorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(true));
+		given(this.authorizationManager.authorize(any(), any())).willCallRealMethod();
 		lenient().doCallRealMethod()
 			.when(this.eventPublisher)
 			.publishAuthorizationEvent(any(), any(), any(AuthorizationResult.class));

web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -19,8 +19,8 @@ package org.springframework.security.web.access;
 import jakarta.servlet.ServletContext;
 import jakarta.servlet.http.HttpServletRequest;
 
-import org.springframework.security.authorization.AuthorizationDecision;
 import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.authorization.AuthorizationResult;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.web.FilterInvocation;
 import org.springframework.util.Assert;
@@ -57,7 +57,7 @@ public final class AuthorizationManagerWebInvocationPrivilegeEvaluator
 	public boolean isAllowed(String contextPath, String uri, String method, Authentication authentication) {
 		FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method, this.servletContext);
 		HttpServletRequest httpRequest = this.requestTransformer.transform(filterInvocation.getHttpRequest());
-		AuthorizationDecision decision = this.authorizationManager.check(() -> authentication, httpRequest);
+		AuthorizationResult decision = this.authorizationManager.authorize(() -> authentication, httpRequest);
 		return decision == null || decision.isGranted();
 	}
 

web/src/main/java/org/springframework/security/web/access/intercept/AuthorizationFilter.java

@@ -93,7 +93,7 @@ public class AuthorizationFilter extends GenericFilterBean {
 		String alreadyFilteredAttributeName = getAlreadyFilteredAttributeName();
 		request.setAttribute(alreadyFilteredAttributeName, Boolean.TRUE);
 		try {
-			AuthorizationDecision decision = this.authorizationManager.check(this::getAuthentication, request);
+			AuthorizationResult decision = this.authorizationManager.authorize(this::getAuthentication, request);
 			this.eventPublisher.publishAuthorizationEvent(this::getAuthentication, request, decision);
 			if (decision != null && !decision.isGranted()) {
 				throw new AuthorizationDeniedException("Access Denied", decision);

web/src/test/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluatorTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -61,6 +61,7 @@ class AuthorizationManagerWebInvocationPrivilegeEvaluatorTests {
 	@Test
 	void isAllowedWhenAuthorizationManagerAllowsThenAllowedTrue() {
 		given(this.authorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(true));
+		given(this.authorizationManager.authorize(any(), any())).willCallRealMethod();
 		boolean allowed = this.privilegeEvaluator.isAllowed("/test", TestAuthentication.authenticatedUser());
 		assertThat(allowed).isTrue();
 		verify(this.authorizationManager).check(any(), any());
@@ -69,6 +70,7 @@ class AuthorizationManagerWebInvocationPrivilegeEvaluatorTests {
 	@Test
 	void isAllowedWhenAuthorizationManagerDeniesAllowedFalse() {
 		given(this.authorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(false));
+		given(this.authorizationManager.authorize(any(), any())).willCallRealMethod();
 		boolean allowed = this.privilegeEvaluator.isAllowed("/test", TestAuthentication.authenticatedUser());
 		assertThat(allowed).isFalse();
 	}
@@ -76,6 +78,7 @@ class AuthorizationManagerWebInvocationPrivilegeEvaluatorTests {
 	@Test
 	void isAllowedWhenAuthorizationManagerAbstainsThenAllowedTrue() {
 		given(this.authorizationManager.check(any(), any())).willReturn(null);
+		given(this.authorizationManager.authorize(any(), any())).willCallRealMethod();
 		boolean allowed = this.privilegeEvaluator.isAllowed("/test", TestAuthentication.authenticatedUser());
 		assertThat(allowed).isTrue();
 	}
@@ -83,6 +86,7 @@ class AuthorizationManagerWebInvocationPrivilegeEvaluatorTests {
 	@Test
 	void isAllowedWhenServletContextExistsThenFilterInvocationHasServletContext() {
 		ServletContext servletContext = new MockServletContext();
+		given(this.authorizationManager.authorize(any(), any())).willCallRealMethod();
 		this.privilegeEvaluator.setServletContext(servletContext);
 		this.privilegeEvaluator.isAllowed("/test", TestAuthentication.authenticatedUser());
 		ArgumentCaptor<HttpServletRequest> captor = ArgumentCaptor.forClass(HttpServletRequest.class);
@@ -99,6 +103,7 @@ class AuthorizationManagerWebInvocationPrivilegeEvaluatorTests {
 	void isAllowedWhenRequestTransformerThenUsesRequestTransformerResult() {
 		HttpServletRequest request = new MockHttpServletRequest();
 		given(this.requestTransformer.transform(any())).willReturn(request);
+		given(this.authorizationManager.authorize(any(), any())).willCallRealMethod();
 		this.privilegeEvaluator.setRequestTransformer(this.requestTransformer);
 
 		this.privilegeEvaluator.isAllowed("/test", TestAuthentication.authenticatedUser());

web/src/test/java/org/springframework/security/web/access/intercept/AuthorizationFilterTests.java

@@ -93,6 +93,7 @@ public class AuthorizationFilterTests {
 	@Test
 	public void filterWhenAuthorizationManagerVerifyPassesThenNextFilter() throws Exception {
 		AuthorizationManager<HttpServletRequest> mockAuthorizationManager = mock(AuthorizationManager.class);
+		given(mockAuthorizationManager.authorize(any(), any())).willCallRealMethod();
 		given(mockAuthorizationManager.check(any(Supplier.class), any(HttpServletRequest.class)))
 			.willReturn(new AuthorizationDecision(true));
 		AuthorizationFilter filter = new AuthorizationFilter(mockAuthorizationManager);
@@ -120,6 +121,7 @@ public class AuthorizationFilterTests {
 	@Test
 	public void filterWhenAuthorizationManagerVerifyThrowsAccessDeniedExceptionThenStopFilterChain() {
 		AuthorizationManager<HttpServletRequest> mockAuthorizationManager = mock(AuthorizationManager.class);
+		given(mockAuthorizationManager.authorize(any(), any())).willCallRealMethod();
 		AuthorizationFilter filter = new AuthorizationFilter(mockAuthorizationManager);
 		TestingAuthenticationToken authenticationToken = new TestingAuthenticationToken("user", "password");
 
@@ -198,6 +200,7 @@ public class AuthorizationFilterTests {
 	@Test
 	public void doFilterWhenErrorThenDoFilter() throws Exception {
 		AuthorizationManager<HttpServletRequest> authorizationManager = mock(AuthorizationManager.class);
+		given(authorizationManager.authorize(any(), any())).willCallRealMethod();
 		AuthorizationFilter authorizationFilter = new AuthorizationFilter(authorizationManager);
 		MockHttpServletRequest mockRequest = new MockHttpServletRequest(null, "/path");
 		mockRequest.setDispatcherType(DispatcherType.ERROR);
@@ -234,6 +237,7 @@ public class AuthorizationFilterTests {
 
 	@Test
 	public void doFilterWhenObserveOncePerRequestTrueAndNotAppliedThenInvoked() throws ServletException, IOException {
+		given(this.authorizationManager.authorize(any(), any())).willCallRealMethod();
 		this.filter.setObserveOncePerRequest(true);
 		this.filter.doFilter(this.request, this.response, this.chain);
 		verify(this.authorizationManager).check(any(), any());
@@ -242,6 +246,7 @@ public class AuthorizationFilterTests {
 	@Test
 	public void doFilterWhenObserveOncePerRequestFalseAndIsAppliedThenInvoked() throws ServletException, IOException {
 		setIsAppliedTrue();
+		given(this.authorizationManager.authorize(any(), any())).willCallRealMethod();
 		this.filter.setObserveOncePerRequest(false);
 		this.filter.doFilter(this.request, this.response, this.chain);
 		verify(this.authorizationManager).check(any(), any());
@@ -249,6 +254,7 @@ public class AuthorizationFilterTests {
 
 	@Test
 	public void doFilterWhenObserveOncePerRequestFalseAndNotAppliedThenInvoked() throws ServletException, IOException {
+		given(this.authorizationManager.authorize(any(), any())).willCallRealMethod();
 		this.filter.setObserveOncePerRequest(false);
 		this.filter.doFilter(this.request, this.response, this.chain);
 		verify(this.authorizationManager).check(any(), any());
@@ -264,6 +270,7 @@ public class AuthorizationFilterTests {
 
 	@Test
 	public void doFilterWhenFilterErrorDispatchTrueAndIsErrorThenInvoked() throws ServletException, IOException {
+		given(this.authorizationManager.authorize(any(), any())).willCallRealMethod();
 		this.request.setDispatcherType(DispatcherType.ERROR);
 		this.filter.setFilterErrorDispatch(true);
 		this.filter.doFilter(this.request, this.response, this.chain);
@@ -287,6 +294,7 @@ public class AuthorizationFilterTests {
 
 	@Test
 	public void doFilterWhenFilterAsyncDispatchTrueAndIsAsyncThenInvoked() throws ServletException, IOException {
+		given(this.authorizationManager.authorize(any(), any())).willCallRealMethod();
 		this.request.setDispatcherType(DispatcherType.ASYNC);
 		this.filter.setFilterAsyncDispatch(true);
 		this.filter.doFilter(this.request, this.response, this.chain);