Polish AuthorizationDeniedException Handling

jzheaux · jzheaux · commit 933ef676376f · 2024-04-11T14:30:00.000-06:00
Issue gh-14600
diff --git a/core/src/main/java/org/springframework/security/authorization/AuthorizationDeniedException.java b/core/src/main/java/org/springframework/security/authorization/AuthorizationDeniedException.java
@@ -25,7 +25,7 @@
  * @author Marcus da Coregio
  * @since 6.3
  */
-public class AuthorizationDeniedException extends AccessDeniedException {
+public class AuthorizationDeniedException extends AccessDeniedException implements AuthorizationResult {
 
 	private final AuthorizationResult result;
 
@@ -40,4 +40,9 @@ public AuthorizationResult getAuthorizationResult() {
 		return this.result;
 	}
 
+	@Override
+	public boolean isGranted() {
+		return false;
+	}
+
 }
diff --git a/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerAfterMethodInterceptor.java b/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerAfterMethodInterceptor.java
@@ -33,6 +33,7 @@
 import org.springframework.security.authorization.AuthorizationDeniedException;
 import org.springframework.security.authorization.AuthorizationEventPublisher;
 import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.authorization.AuthorizationResult;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.context.SecurityContextHolderStrategy;
@@ -190,14 +191,7 @@ private Object attemptAuthorization(MethodInvocation mi, Object result) {
 		return result;
 	}
 
-	private Object postProcess(MethodInvocationResult mi, AuthorizationDeniedException denied) {
-		if (this.authorizationManager instanceof MethodAuthorizationDeniedPostProcessor postProcessableDecision) {
-			return postProcessableDecision.postProcessResult(mi, denied);
-		}
-		return this.defaultPostProcessor.postProcessResult(mi, denied);
-	}
-
-	private Object postProcess(MethodInvocationResult mi, AuthorizationDecision decision) {
+	private Object postProcess(MethodInvocationResult mi, AuthorizationResult decision) {
 		if (this.authorizationManager instanceof MethodAuthorizationDeniedPostProcessor postProcessableDecision) {
 			return postProcessableDecision.postProcessResult(mi, decision);
 		}
diff --git a/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerAfterReactiveMethodInterceptor.java b/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerAfterReactiveMethodInterceptor.java
@@ -35,6 +35,7 @@
 import org.springframework.security.access.prepost.PostAuthorize;
 import org.springframework.security.authorization.AuthorizationDecision;
 import org.springframework.security.authorization.AuthorizationDeniedException;
+import org.springframework.security.authorization.AuthorizationResult;
 import org.springframework.security.authorization.ReactiveAuthorizationManager;
 import org.springframework.security.core.Authentication;
 import org.springframework.util.Assert;
@@ -165,22 +166,7 @@ private Mono<Object> postAuthorize(Mono<Authentication> authentication, MethodIn
 			});
 	}
 
-	private Mono<Object> postProcess(AuthorizationDeniedException denied,
-			MethodInvocationResult methodInvocationResult) {
-		return Mono.fromSupplier(() -> {
-			if (this.authorizationManager instanceof MethodAuthorizationDeniedPostProcessor postProcessableDecision) {
-				return postProcessableDecision.postProcessResult(methodInvocationResult, denied);
-			}
-			return this.defaultPostProcessor.postProcessResult(methodInvocationResult, denied);
-		}).flatMap((processedResult) -> {
-			if (Mono.class.isAssignableFrom(processedResult.getClass())) {
-				return (Mono<?>) processedResult;
-			}
-			return Mono.justOrEmpty(processedResult);
-		});
-	}
-
-	private Mono<Object> postProcess(AuthorizationDecision decision, MethodInvocationResult methodInvocationResult) {
+	private Mono<Object> postProcess(AuthorizationResult decision, MethodInvocationResult methodInvocationResult) {
 		if (decision.isGranted()) {
 			return Mono.just(methodInvocationResult.getResult());
 		}
diff --git a/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeMethodInterceptor.java b/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeMethodInterceptor.java
@@ -264,13 +264,6 @@ private Object attemptAuthorization(MethodInvocation mi) throws Throwable {
 		return mi.proceed();
 	}
 
-	private Object handle(MethodInvocation mi, AuthorizationDeniedException denied) {
-		if (this.authorizationManager instanceof MethodAuthorizationDeniedHandler handler) {
-			return handler.handle(mi, denied);
-		}
-		return this.defaultHandler.handle(mi, denied);
-	}
-
 	private Object handle(MethodInvocation mi, AuthorizationResult decision) {
 		if (this.authorizationManager instanceof MethodAuthorizationDeniedHandler handler) {
 			return handler.handle(mi, decision);
diff --git a/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeReactiveMethodInterceptor.java b/core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerBeforeReactiveMethodInterceptor.java
@@ -34,6 +34,7 @@
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.authorization.AuthorizationDecision;
 import org.springframework.security.authorization.AuthorizationDeniedException;
+import org.springframework.security.authorization.AuthorizationResult;
 import org.springframework.security.authorization.ReactiveAuthorizationManager;
 import org.springframework.security.core.Authentication;
 import org.springframework.util.Assert;
@@ -177,21 +178,7 @@ private Mono<Object> preAuthorized(MethodInvocation mi, Mono<Object> mapping) {
 			});
 	}
 
-	private Mono<Object> postProcess(AuthorizationDeniedException denied, MethodInvocation mi) {
-		return Mono.fromSupplier(() -> {
-			if (this.authorizationManager instanceof MethodAuthorizationDeniedHandler handler) {
-				return handler.handle(mi, denied);
-			}
-			return this.defaultHandler.handle(mi, denied);
-		}).flatMap((processedResult) -> {
-			if (Mono.class.isAssignableFrom(processedResult.getClass())) {
-				return (Mono<?>) processedResult;
-			}
-			return Mono.justOrEmpty(processedResult);
-		});
-	}
-
-	private Mono<Object> postProcess(AuthorizationDecision decision, MethodInvocation mi) {
+	private Mono<Object> postProcess(AuthorizationResult decision, MethodInvocation mi) {
 		return Mono.fromSupplier(() -> {
 			if (this.authorizationManager instanceof MethodAuthorizationDeniedHandler handler) {
 				return handler.handle(mi, decision);
diff --git a/core/src/main/java/org/springframework/security/authorization/method/MethodAuthorizationDeniedHandler.java b/core/src/main/java/org/springframework/security/authorization/method/MethodAuthorizationDeniedHandler.java
@@ -19,7 +19,6 @@
 import org.aopalliance.intercept.MethodInvocation;
 
 import org.springframework.lang.Nullable;
-import org.springframework.security.authorization.AuthorizationDeniedException;
 import org.springframework.security.authorization.AuthorizationResult;
 
 /**
@@ -44,18 +43,4 @@ public interface MethodAuthorizationDeniedHandler {
 	@Nullable
 	Object handle(MethodInvocation methodInvocation, AuthorizationResult authorizationResult);
 
-	/**
-	 * Handle denied method invocations, implementations might either throw an
-	 * {@link org.springframework.security.access.AccessDeniedException} or a replacement
-	 * result instead of invoking the method, e.g. a masked value.
-	 * @param methodInvocation the {@link MethodInvocation} related to the authorization
-	 * denied
-	 * @param authorizationDenied the authorization denied exception
-	 * @return a replacement result for the denied method invocation, or null, or a
-	 * {@link reactor.core.publisher.Mono} for reactive applications
-	 */
-	default Object handle(MethodInvocation methodInvocation, AuthorizationDeniedException authorizationDenied) {
-		return handle(methodInvocation, authorizationDenied.getAuthorizationResult());
-	}
-
 }
diff --git a/core/src/main/java/org/springframework/security/authorization/method/MethodAuthorizationDeniedPostProcessor.java b/core/src/main/java/org/springframework/security/authorization/method/MethodAuthorizationDeniedPostProcessor.java
@@ -17,7 +17,6 @@
 package org.springframework.security.authorization.method;
 
 import org.springframework.lang.Nullable;
-import org.springframework.security.authorization.AuthorizationDeniedException;
 import org.springframework.security.authorization.AuthorizationResult;
 
 /**
@@ -44,21 +43,4 @@ public interface MethodAuthorizationDeniedPostProcessor {
 	@Nullable
 	Object postProcessResult(MethodInvocationResult methodInvocationResult, AuthorizationResult authorizationResult);
 
-	/**
-	 * Post-process the denied result produced by a method invocation, implementations
-	 * might either throw an
-	 * {@link org.springframework.security.access.AccessDeniedException} or return a
-	 * replacement result instead of the denied result, e.g. a masked value.
-	 * @param methodInvocationResult the object containing the method invocation and the
-	 * result produced
-	 * @param authorizationDenied the {@link AuthorizationDeniedException} containing the
-	 * authorization denied details
-	 * @return a replacement result for the denied result, or null, or a
-	 * {@link reactor.core.publisher.Mono} for reactive applications
-	 */
-	default Object postProcessResult(MethodInvocationResult methodInvocationResult,
-			AuthorizationDeniedException authorizationDenied) {
-		return postProcessResult(methodInvocationResult, authorizationDenied.getAuthorizationResult());
-	}
-
 }
diff --git a/core/src/main/java/org/springframework/security/authorization/method/ThrowingMethodAuthorizationDeniedHandler.java b/core/src/main/java/org/springframework/security/authorization/method/ThrowingMethodAuthorizationDeniedHandler.java
@@ -32,12 +32,10 @@ public final class ThrowingMethodAuthorizationDeniedHandler implements MethodAut
 
 	@Override
 	public Object handle(MethodInvocation methodInvocation, AuthorizationResult result) {
+		if (result instanceof AuthorizationDeniedException denied) {
+			throw denied;
+		}
 		throw new AuthorizationDeniedException("Access Denied", result);
 	}
 
-	@Override
-	public Object handle(MethodInvocation methodInvocation, AuthorizationDeniedException authorizationDenied) {
-		throw authorizationDenied;
-	}
-
 }
diff --git a/core/src/main/java/org/springframework/security/authorization/method/ThrowingMethodAuthorizationDeniedPostProcessor.java b/core/src/main/java/org/springframework/security/authorization/method/ThrowingMethodAuthorizationDeniedPostProcessor.java
@@ -30,13 +30,10 @@ public final class ThrowingMethodAuthorizationDeniedPostProcessor implements Met
 
 	@Override
 	public Object postProcessResult(MethodInvocationResult methodInvocationResult, AuthorizationResult result) {
+		if (result instanceof AuthorizationDeniedException denied) {
+			throw denied;
+		}
 		throw new AuthorizationDeniedException("Access Denied", result);
 	}
 
-	@Override
-	public Object postProcessResult(MethodInvocationResult methodInvocationResult,
-			AuthorizationDeniedException authorizationDenied) {
-		throw authorizationDenied;
-	}
-
 }

Original file line number	Diff line number	Diff line change
`@@ -32,12 +32,10 @@ public final class ThrowingMethodAuthorizationDeniedHandler implements MethodAut`
`32`	`32`
`33`	`33`	`@Override`
`34`	`34`	`public Object handle(MethodInvocation methodInvocation, AuthorizationResult result) {`
	`35`	`+ if (result instanceof AuthorizationDeniedException denied) {`
	`36`	`+ throw denied;`
	`37`	`+ }`
`35`	`38`	`throw new AuthorizationDeniedException("Access Denied", result);`
`36`	`39`	`}`
`37`	`40`
`38`		`- @Override`
`39`		`- public Object handle(MethodInvocation methodInvocation, AuthorizationDeniedException authorizationDenied) {`
`40`		`- throw authorizationDenied;`
`41`		`- }`
`42`		`-`
`43`	`41`	`}`