Add @AuthorizationDeniedHandler for Method Authorization Denied Handling

Issue gh-14601

Author: marcusdacoregio

config/src/test/java/org/springframework/security/config/annotation/method/configuration/MethodSecurityService.java

@@ -39,6 +39,7 @@
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.access.prepost.PreFilter;
 import org.springframework.security.authorization.AuthorizationResult;
+import org.springframework.security.authorization.method.AuthorizationDeniedHandler;
 import org.springframework.security.authorization.method.AuthorizeReturnObject;
 import org.springframework.security.authorization.method.MethodAuthorizationDeniedHandler;
 import org.springframework.security.authorization.method.MethodAuthorizationDeniedPostProcessor;
@@ -127,54 +128,67 @@ public interface MethodSecurityService {
 	@RequireAdminRole
 	void repeatedAnnotations();
 
-	@PreAuthorize(value = "hasRole('ADMIN')", handlerClass = StarMaskingHandler.class)
+	@PreAuthorize("hasRole('ADMIN')")
+	@AuthorizationDeniedHandler(handlerClass = StarMaskingHandler.class)
 	String preAuthorizeGetCardNumberIfAdmin(String cardNumber);
 
-	@PreAuthorize(value = "hasRole('ADMIN')", handlerClass = StartMaskingHandlerChild.class)
+	@PreAuthorize("hasRole('ADMIN')")
+	@AuthorizationDeniedHandler(handlerClass = StartMaskingHandlerChild.class)
 	String preAuthorizeWithHandlerChildGetCardNumberIfAdmin(String cardNumber);
 
-	@PreAuthorize(value = "hasRole('ADMIN')", handlerClass = StarMaskingHandler.class)
+	@PreAuthorize("hasRole('ADMIN')")
+	@AuthorizationDeniedHandler(handlerClass = StarMaskingHandler.class)
 	String preAuthorizeThrowAccessDeniedManually();
 
-	@PostAuthorize(value = "hasRole('ADMIN')", postProcessorClass = CardNumberMaskingPostProcessor.class)
+	@PostAuthorize("hasRole('ADMIN')")
+	@AuthorizationDeniedHandler(postProcessorClass = CardNumberMaskingPostProcessor.class)
 	String postAuthorizeGetCardNumberIfAdmin(String cardNumber);
 
-	@PostAuthorize(value = "hasRole('ADMIN')", postProcessorClass = PostMaskingPostProcessor.class)
+	@PostAuthorize("hasRole('ADMIN')")
+	@AuthorizationDeniedHandler(postProcessorClass = PostMaskingPostProcessor.class)
 	String postAuthorizeThrowAccessDeniedManually();
 
-	@PreAuthorize(value = "denyAll()", handlerClass = MaskAnnotationHandler.class)
+	@PreAuthorize("denyAll()")
 	@Mask("methodmask")
+	@AuthorizationDeniedHandler(handlerClass = MaskAnnotationHandler.class)
 	String preAuthorizeDeniedMethodWithMaskAnnotation();
 
-	@PreAuthorize(value = "denyAll()", handlerClass = MaskAnnotationHandler.class)
+	@PreAuthorize("denyAll()")
+	@AuthorizationDeniedHandler(handlerClass = MaskAnnotationHandler.class)
 	String preAuthorizeDeniedMethodWithNoMaskAnnotation();
 
 	@NullDenied(role = "ADMIN")
 	String postAuthorizeDeniedWithNullDenied();
 
-	@PostAuthorize(value = "denyAll()", postProcessorClass = MaskAnnotationPostProcessor.class)
+	@PostAuthorize("denyAll()")
 	@Mask("methodmask")
+	@AuthorizationDeniedHandler(postProcessorClass = MaskAnnotationPostProcessor.class)
 	String postAuthorizeDeniedMethodWithMaskAnnotation();
 
-	@PostAuthorize(value = "denyAll()", postProcessorClass = MaskAnnotationPostProcessor.class)
+	@PostAuthorize("denyAll()")
+	@AuthorizationDeniedHandler(postProcessorClass = MaskAnnotationPostProcessor.class)
 	String postAuthorizeDeniedMethodWithNoMaskAnnotation();
 
-	@PreAuthorize(value = "hasRole('ADMIN')", handlerClass = MaskAnnotationHandler.class)
+	@PreAuthorize("hasRole('ADMIN')")
 	@Mask(expression = "@myMasker.getMask()")
+	@AuthorizationDeniedHandler(handlerClass = MaskAnnotationHandler.class)
 	String preAuthorizeWithMaskAnnotationUsingBean();
 
-	@PostAuthorize(value = "hasRole('ADMIN')", postProcessorClass = MaskAnnotationPostProcessor.class)
+	@PostAuthorize("hasRole('ADMIN')")
 	@Mask(expression = "@myMasker.getMask(returnObject)")
+	@AuthorizationDeniedHandler(postProcessorClass = MaskAnnotationPostProcessor.class)
 	String postAuthorizeWithMaskAnnotationUsingBean();
 
 	@AuthorizeReturnObject
 	UserRecordWithEmailProtected getUserRecordWithEmailProtected();
 
-	@PreAuthorize(value = "hasRole('ADMIN')", handlerClass = UserFallbackDeniedHandler.class)
+	@PreAuthorize("hasRole('ADMIN')")
+	@AuthorizationDeniedHandler(handlerClass = UserFallbackDeniedHandler.class)
 	UserRecordWithEmailProtected getUserWithFallbackWhenUnauthorized();
 
-	@PreAuthorize(value = "@authz.checkResult(#result)", handlerClass = MethodAuthorizationDeniedHandler.class)
-	@PostAuthorize(value = "@authz.checkResult(!#result)",
+	@PreAuthorize("@authz.checkResult(#result)")
+	@PostAuthorize("@authz.checkResult(!#result)")
+	@AuthorizationDeniedHandler(handlerClass = MethodAuthorizationDeniedHandler.class,
 			postProcessorClass = MethodAuthorizationDeniedPostProcessor.class)
 	String checkCustomResult(boolean result);
 
@@ -305,7 +319,8 @@ public Object postProcessResult(MethodInvocationResult methodInvocationResult,
 	@Target({ ElementType.METHOD, ElementType.TYPE })
 	@Retention(RetentionPolicy.RUNTIME)
 	@Inherited
-	@PostAuthorize(value = "hasRole('{role}')", postProcessorClass = NullPostProcessor.class)
+	@PostAuthorize("hasRole('{role}')")
+	@AuthorizationDeniedHandler(postProcessorClass = NullPostProcessor.class)
 	@interface NullDenied {
 
 		String role();

config/src/test/java/org/springframework/security/config/annotation/method/configuration/ReactiveMethodSecurityService.java

@@ -33,6 +33,7 @@
 import org.springframework.security.access.prepost.PostAuthorize;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.authorization.AuthorizationResult;
+import org.springframework.security.authorization.method.AuthorizationDeniedHandler;
 import org.springframework.security.authorization.method.MethodAuthorizationDeniedHandler;
 import org.springframework.security.authorization.method.MethodAuthorizationDeniedPostProcessor;
 import org.springframework.security.authorization.method.MethodInvocationResult;
@@ -45,48 +46,60 @@
 @ReactiveMethodSecurityService.Mask("classmask")
 public interface ReactiveMethodSecurityService {
 
-	@PreAuthorize(value = "hasRole('ADMIN')", handlerClass = StarMaskingHandler.class)
+	@PreAuthorize("hasRole('ADMIN')")
+	@AuthorizationDeniedHandler(handlerClass = StarMaskingHandler.class)
 	Mono<String> preAuthorizeGetCardNumberIfAdmin(String cardNumber);
 
-	@PreAuthorize(value = "hasRole('ADMIN')", handlerClass = StartMaskingHandlerChild.class)
+	@PreAuthorize("hasRole('ADMIN')")
+	@AuthorizationDeniedHandler(handlerClass = StartMaskingHandlerChild.class)
 	Mono<String> preAuthorizeWithHandlerChildGetCardNumberIfAdmin(String cardNumber);
 
-	@PreAuthorize(value = "hasRole('ADMIN')", handlerClass = StarMaskingHandler.class)
+	@PreAuthorize("hasRole('ADMIN')")
+	@AuthorizationDeniedHandler(handlerClass = StarMaskingHandler.class)
 	Mono<String> preAuthorizeThrowAccessDeniedManually();
 
-	@PostAuthorize(value = "hasRole('ADMIN')", postProcessorClass = CardNumberMaskingPostProcessor.class)
+	@PostAuthorize("hasRole('ADMIN')")
+	@AuthorizationDeniedHandler(postProcessorClass = CardNumberMaskingPostProcessor.class)
 	Mono<String> postAuthorizeGetCardNumberIfAdmin(String cardNumber);
 
-	@PostAuthorize(value = "hasRole('ADMIN')", postProcessorClass = PostMaskingPostProcessor.class)
+	@PostAuthorize("hasRole('ADMIN')")
+	@AuthorizationDeniedHandler(postProcessorClass = PostMaskingPostProcessor.class)
 	Mono<String> postAuthorizeThrowAccessDeniedManually();
 
-	@PreAuthorize(value = "denyAll()", handlerClass = MaskAnnotationHandler.class)
+	@PreAuthorize("denyAll()")
 	@Mask("methodmask")
+	@AuthorizationDeniedHandler(handlerClass = MaskAnnotationHandler.class)
 	Mono<String> preAuthorizeDeniedMethodWithMaskAnnotation();
 
-	@PreAuthorize(value = "denyAll()", handlerClass = MaskAnnotationHandler.class)
+	@PreAuthorize("denyAll()")
+	@AuthorizationDeniedHandler(handlerClass = MaskAnnotationHandler.class)
 	Mono<String> preAuthorizeDeniedMethodWithNoMaskAnnotation();
 
 	@NullDenied(role = "ADMIN")
 	Mono<String> postAuthorizeDeniedWithNullDenied();
 
-	@PostAuthorize(value = "denyAll()", postProcessorClass = MaskAnnotationPostProcessor.class)
+	@PostAuthorize("denyAll()")
 	@Mask("methodmask")
+	@AuthorizationDeniedHandler(postProcessorClass = MaskAnnotationPostProcessor.class)
 	Mono<String> postAuthorizeDeniedMethodWithMaskAnnotation();
 
-	@PostAuthorize(value = "denyAll()", postProcessorClass = MaskAnnotationPostProcessor.class)
+	@PostAuthorize("denyAll()")
+	@AuthorizationDeniedHandler(postProcessorClass = MaskAnnotationPostProcessor.class)
 	Mono<String> postAuthorizeDeniedMethodWithNoMaskAnnotation();
 
-	@PreAuthorize(value = "hasRole('ADMIN')", handlerClass = MaskAnnotationHandler.class)
+	@PreAuthorize("hasRole('ADMIN')")
 	@Mask(expression = "@myMasker.getMask()")
+	@AuthorizationDeniedHandler(handlerClass = MaskAnnotationHandler.class)
 	Mono<String> preAuthorizeWithMaskAnnotationUsingBean();
 
-	@PostAuthorize(value = "hasRole('ADMIN')", postProcessorClass = MaskAnnotationPostProcessor.class)
+	@PostAuthorize("hasRole('ADMIN')")
 	@Mask(expression = "@myMasker.getMask(returnObject)")
+	@AuthorizationDeniedHandler(postProcessorClass = MaskAnnotationPostProcessor.class)
 	Mono<String> postAuthorizeWithMaskAnnotationUsingBean();
 
-	@PreAuthorize(value = "@authz.checkReactiveResult(#result)", handlerClass = MethodAuthorizationDeniedHandler.class)
-	@PostAuthorize(value = "@authz.checkReactiveResult(!#result)",
+	@PreAuthorize("@authz.checkReactiveResult(#result)")
+	@PostAuthorize("@authz.checkReactiveResult(!#result)")
+	@AuthorizationDeniedHandler(handlerClass = MethodAuthorizationDeniedHandler.class,
 			postProcessorClass = MethodAuthorizationDeniedPostProcessor.class)
 	Mono<String> checkCustomResult(boolean result);
 
@@ -217,7 +230,8 @@ public Object postProcessResult(MethodInvocationResult methodInvocationResult,
 	@Target({ ElementType.METHOD, ElementType.TYPE })
 	@Retention(RetentionPolicy.RUNTIME)
 	@Inherited
-	@PostAuthorize(value = "hasRole('{value}')", postProcessorClass = NullPostProcessor.class)
+	@PostAuthorize("hasRole('{value}')")
+	@AuthorizationDeniedHandler(postProcessorClass = NullPostProcessor.class)
 	@interface NullDenied {
 
 		String role();

config/src/test/java/org/springframework/security/config/annotation/method/configuration/UserRecordWithEmailProtected.java

@@ -18,6 +18,7 @@
 
 import org.springframework.security.access.prepost.PostAuthorize;
 import org.springframework.security.authorization.AuthorizationResult;
+import org.springframework.security.authorization.method.AuthorizationDeniedHandler;
 import org.springframework.security.authorization.method.MethodAuthorizationDeniedPostProcessor;
 import org.springframework.security.authorization.method.MethodInvocationResult;
 
@@ -36,7 +37,8 @@ public String name() {
 		return this.name;
 	}
 
-	@PostAuthorize(value = "hasRole('ADMIN')", postProcessorClass = EmailMaskingPostProcessor.class)
+	@PostAuthorize("hasRole('ADMIN')")
+	@AuthorizationDeniedHandler(postProcessorClass = EmailMaskingPostProcessor.class)
 	public String email() {
 		return this.email;
 	}

core/src/main/java/org/springframework/security/access/prepost/PostAuthorize.java

@@ -23,9 +23,6 @@
 import java.lang.annotation.RetentionPolicy;
 import java.lang.annotation.Target;
 
-import org.springframework.security.authorization.method.MethodAuthorizationDeniedPostProcessor;
-import org.springframework.security.authorization.method.ThrowingMethodAuthorizationDeniedPostProcessor;
-
 /**
  * Annotation for specifying a method access-control expression which will be evaluated
  * after a method has been invoked.
@@ -45,10 +42,4 @@
 	 */
 	String value();
 
-	/**
-	 * @return the {@link MethodAuthorizationDeniedPostProcessor} class used to
-	 * post-process access denied
-	 */
-	Class<? extends MethodAuthorizationDeniedPostProcessor> postProcessorClass() default ThrowingMethodAuthorizationDeniedPostProcessor.class;
-
 }

core/src/main/java/org/springframework/security/access/prepost/PreAuthorize.java

@@ -23,9 +23,6 @@
 import java.lang.annotation.RetentionPolicy;
 import java.lang.annotation.Target;
 
-import org.springframework.security.authorization.method.MethodAuthorizationDeniedHandler;
-import org.springframework.security.authorization.method.ThrowingMethodAuthorizationDeniedHandler;
-
 /**
  * Annotation for specifying a method access-control expression which will be evaluated to
  * decide whether a method invocation is allowed or not.
@@ -45,10 +42,4 @@
 	 */
 	String value();
 
-	/**
-	 * @return the {@link MethodAuthorizationDeniedHandler} class used to handle access
-	 * denied
-	 */
-	Class<? extends MethodAuthorizationDeniedHandler> handlerClass() default ThrowingMethodAuthorizationDeniedHandler.class;
-
 }

core/src/main/java/org/springframework/security/authorization/method/AuthorizationDeniedHandler.java

@@ -0,0 +1,56 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.authorization.method;
+
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Inherited;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+/**
+ * Annotation for specifying handling behavior when an authorization denied happens in
+ * method security
+ *
+ * @author Marcus da Coregio
+ * @since 6.3
+ * @see org.springframework.security.access.prepost.PreAuthorize
+ * @see org.springframework.security.access.prepost.PostAuthorize
+ */
+@Target({ ElementType.METHOD, ElementType.TYPE })
+@Retention(RetentionPolicy.RUNTIME)
+@Inherited
+@Documented
+public @interface AuthorizationDeniedHandler {
+
+	/**
+	 * The {@link MethodAuthorizationDeniedHandler} used to handle denied authorizations
+	 * from {@link org.springframework.security.access.prepost.PreAuthorize}
+	 * @return
+	 */
+	Class<? extends MethodAuthorizationDeniedHandler> handlerClass() default ThrowingMethodAuthorizationDeniedHandler.class;
+
+	/**
+	 * The {@link MethodAuthorizationDeniedPostProcessor} used to post process denied
+	 * authorizations from
+	 * {@link org.springframework.security.access.prepost.PostAuthorize}
+	 * @return
+	 */
+	Class<? extends MethodAuthorizationDeniedPostProcessor> postProcessorClass() default ThrowingMethodAuthorizationDeniedPostProcessor.class;
+
+}

core/src/main/java/org/springframework/security/authorization/method/PostAuthorizeExpressionAttributeRegistry.java

@@ -55,11 +55,24 @@ ExpressionAttribute resolveAttribute(Method method, Class<?> targetClass) {
 			return ExpressionAttribute.NULL_ATTRIBUTE;
 		}
 		Expression expression = getExpressionHandler().getExpressionParser().parseExpression(postAuthorize.value());
-		MethodAuthorizationDeniedPostProcessor postProcessor = this.postProcessorResolver
-			.apply(postAuthorize.postProcessorClass());
+		MethodAuthorizationDeniedPostProcessor postProcessor = resolvePostProcessor(method, targetClass);
 		return new PostAuthorizeExpressionAttribute(expression, postProcessor);
 	}
 
+	private MethodAuthorizationDeniedPostProcessor resolvePostProcessor(Method method, Class<?> targetClass) {
+		Function<AnnotatedElement, AuthorizationDeniedHandler> lookup = AuthorizationAnnotationUtils
+			.withDefaults(AuthorizationDeniedHandler.class);
+		AuthorizationDeniedHandler deniedHandler = lookup.apply(method);
+		if (deniedHandler != null) {
+			return this.postProcessorResolver.apply(deniedHandler.postProcessorClass());
+		}
+		deniedHandler = lookup.apply(targetClass(method, targetClass));
+		if (deniedHandler != null) {
+			return this.postProcessorResolver.apply(deniedHandler.postProcessorClass());
+		}
+		return this.defaultPostProcessor;
+	}
+
 	private PostAuthorize findPostAuthorizeAnnotation(Method method, Class<?> targetClass) {
 		Function<AnnotatedElement, PostAuthorize> lookup = findUniqueAnnotation(PostAuthorize.class);
 		PostAuthorize postAuthorize = lookup.apply(method);

core/src/main/java/org/springframework/security/authorization/method/PreAuthorizeExpressionAttributeRegistry.java

@@ -55,10 +55,24 @@ ExpressionAttribute resolveAttribute(Method method, Class<?> targetClass) {
 			return ExpressionAttribute.NULL_ATTRIBUTE;
 		}
 		Expression expression = getExpressionHandler().getExpressionParser().parseExpression(preAuthorize.value());
-		MethodAuthorizationDeniedHandler handler = this.handlerResolver.apply(preAuthorize.handlerClass());
+		MethodAuthorizationDeniedHandler handler = resolveHandler(method, targetClass);
 		return new PreAuthorizeExpressionAttribute(expression, handler);
 	}
 
+	private MethodAuthorizationDeniedHandler resolveHandler(Method method, Class<?> targetClass) {
+		Function<AnnotatedElement, AuthorizationDeniedHandler> lookup = AuthorizationAnnotationUtils
+			.withDefaults(AuthorizationDeniedHandler.class);
+		AuthorizationDeniedHandler deniedHandler = lookup.apply(method);
+		if (deniedHandler != null) {
+			return this.handlerResolver.apply(deniedHandler.handlerClass());
+		}
+		deniedHandler = lookup.apply(targetClass(method, targetClass));
+		if (deniedHandler != null) {
+			return this.handlerResolver.apply(deniedHandler.handlerClass());
+		}
+		return this.defaultHandler;
+	}
+
 	private PreAuthorize findPreAuthorizeAnnotation(Method method, Class<?> targetClass) {
 		Function<AnnotatedElement, PreAuthorize> lookup = findUniqueAnnotation(PreAuthorize.class);
 		PreAuthorize preAuthorize = lookup.apply(method);