Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pre/PostAuthorize should not ignore HandleAuthorizationDenied#handlerClass when ApplicationContext is not provided #15535

Closed
jzheaux opened this issue Aug 7, 2024 · 1 comment
Closed

Pre/PostAuthorize should not ignore HandleAuthorizationDenied#handlerClass when ApplicationContext is not provided #15535

jzheaux opened this issue Aug 7, 2024 · 1 comment
Assignees
@jzheaux
Labels
in: core An issue in spring-security-core status: declined A suggestion or change that we don't feel we should currently apply type: bug A general bug
Milestone
6.3.2

Comments

@jzheaux
Copy link
Contributor

jzheaux commented Aug 7, 2024

A test like this:

public class HandleTests {

    @Test
    public void test() {
       AuthorizationProxyFactory proxyFactory = AuthorizationAdvisorProxyFactory.withDefaults();
       Account account = (Account) proxyFactory.proxy(new Account());
       assertThat(account.getAccountNumber()).isNull();
    }

    public static class Account {
       @PreAuthorize("denyAll")
       @HandleAuthorizationDenied(handlerClass = NullMethodAuthorizationDeniedHandler.class)
       public String getAccountNumber() {
          return "123";
       }
    }

    public class NullMethodAuthorizationDeniedHandler implements MethodAuthorizationDeniedHandler {
       @Override
       public Object handleDeniedInvocation(MethodInvocation methodInvocation, AuthorizationResult authorizationResult) {
          return null;
       }
    }
}

Will fall back to throwing an exception since there is no application context provided to PostAuthorizeAuthorizationManager.

Instead, it should at least error so the application doesn't get the impression that their handler class is being used.
@jzheaux jzheaux added in: core An issue in spring-security-core type: bug A general bug labels Aug 7, 2024
@jzheaux jzheaux added this to the 6.3.2 milestone Aug 7, 2024
@jzheaux jzheaux self-assigned this Aug 7, 2024
@jzheaux jzheaux added the status: invalid An issue that we don't feel is valid label Aug 7, 2024
@jzheaux
Copy link
Contributor Author

jzheaux commented Aug 7, 2024

Let's backport #15496 instead.

@jzheaux jzheaux closed this as completed Aug 7, 2024
@jzheaux jzheaux added status: declined A suggestion or change that we don't feel we should currently apply and removed status: invalid An issue that we don't feel is valid labels Aug 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: core An issue in spring-security-core status: declined A suggestion or change that we don't feel we should currently apply type: bug A general bug
Projects
None yet
Milestone
6.3.2
Development

No branches or pull requests
1 participant
@jzheaux