Throw AuthorizationDeniedException when AuthorizationResult is available #15706
Assignees
Labels
Milestone
Comments
mauromol
added
status: waiting-for-triage
|
Hi @mauromol, thanks for the report. We have recently created Since |
marcusdacoregio
added
for: team-attention
|
That would be great, thanks for your feedback! |
marcusdacoregio
removed
the
for: team-attention
|
Thanks for the report @mauromol, this is now merged into |
marcusdacoregio
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Expected Behavior
It would be very useful if the
AccessDeniedExceptioncontained theAuthorizationDecisionwhich led to the authorization failure.Current Behavior
No way to get the
AuthorizationDecisionfrom theAccessDeniedException. Seems like this info is only available by means of anAuthorizationEvent.Context
Writing a REST API. Applying method security on
RestControllermethods with@Secured. Using aControllerAdviceto interceptAccessDeniedExceptions. UsingErrorResponse/ProblemDetailfacilities of Spring 6 to produce RFC 9457-compliant error responses, and a proper message bundle feeding the application context message source. I would like to have an error detail message code like this for this kind of error:problemDetail.org.springframework.security.access.AccessDeniedException=User is missing the required authority; one of: {0}The list of allowed authorities for the target resource would be available in the
AuthorityAuthorizationDecisioncreated by theAuthorityAuthorizationManagerwhen checking for access grant: if I had access to it, I could easily use it to supply the necessary message arguments to get the final problem detail message from theAccessDeniedExceptionin myControllerAdvice.The
AuthorizationFilterhas all of this in its hands, it could just pass the decision to the exception it creates.Suggestions to any alternative way to achieve this would be welcome.
The text was updated successfully, but these errors were encountered: