Create Authorized Proxy of Return Values

[jzheaux]

Proxy arbitrary objects like so:

public class Flight {
    @PreAuthorize("hasAuthority('airplane:read')")
    Double getAltitude() {
        return 35000d;
    }
}

// ...

var factory = new AuthorizationAdvisorProxyFactory();
var flight = new Flight();
assertThatNoException().isThrownBy(flight::getAltitude);
Flight proxied = (Flight) factory.proxy(flight);
assertThatExceptionOfType(AccessDeniedException.class).isThrownBy(proxied::getAltitude);

For return values of type Iterator, Collection, Stream, Array, and Map, the values are proxied instead of the collection.

Also when adding @EnableMethodSecurity, you can do:

@Component
@AuthorizeReturnObject
public class FlightRepository {
    Iterator<Flight> findAll() {
        return List.of(new Flight()).iterator();
    }
}

// ...

And then each Flight returned will be proxied.

Also works for @EnableReactiveMethodSecurity:

@Component
@AuthorizeReturnObject
public class FlightRepository {
    Flux<Flight> findAll() {
        return Flux.just(new Flight());
    }
}

// ...

Additionally, if you have types that you want to skip globally, for example, value return types, you can do:

@Bean 
AuthorizationProxyFactoryPredicate skipValueTypes() {
    return SkipAuthorizationProxyFactoryPredicate.skipValueTypes();
}

This is handy when using @AuthorizeReturnObject at the class level, in case some of the methods return value types (String, Integer, etc.) that you have no need to proxy,

[rwinch]

For return values of type Iterator, Collection, Stream, Array, and Map, the values are proxied instead of the collection.

We should consider how this works with @PostAuthorize and @PostFilter too.

[rwinch]

I wonder if we could consider @AuthorizeReturnObject over @AuthorizedResult which

• removes the d to align with PreAuthorize and PostAuthorize
• Uses ReturnObject to align with SpEL keyword of returnObject

[rwinch]

Thanks @jzheaux This looks good!