Consider handler bean reference for HandleAuthorizationDenied

evgeniycheban · evgeniycheban · commit 6930987f95f7 · 2025-04-20T08:24:32.000+03:00
Closes spring-projectsgh-16622 Signed-off-by: Evgeniy Cheban <mister.cheban@gmail.com>
diff --git a/core/src/main/java/org/springframework/security/authorization/method/HandleAuthorizationDenied.java b/core/src/main/java/org/springframework/security/authorization/method/HandleAuthorizationDenied.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -30,6 +30,7 @@
  * thrown during method invocation
  *
  * @author Marcus da Coregio
+ * @author Evgeniy Cheban
  * @since 6.3
  * @see AuthorizationManagerAfterMethodInterceptor
  * @see AuthorizationManagerBeforeMethodInterceptor
@@ -47,4 +48,13 @@
 	 */
 	Class<? extends MethodAuthorizationDeniedHandler> handlerClass() default ThrowingMethodAuthorizationDeniedHandler.class;
 
+	/**
+	 * Specifies a {@link MethodAuthorizationDeniedHandler} bean name to be used to handle
+	 * denied method invocation.
+	 * @return the {@link MethodAuthorizationDeniedHandler} bean name to be used to handle
+	 * denied method invocation
+	 * @since 6.5
+	 */
+	String handler() default "";
+
 }
diff --git a/core/src/main/java/org/springframework/security/authorization/method/PostAuthorizeExpressionAttributeRegistry.java b/core/src/main/java/org/springframework/security/authorization/method/PostAuthorizeExpressionAttributeRegistry.java
@@ -18,7 +18,7 @@
 
 import java.lang.reflect.Method;
 import java.util.Arrays;
-import java.util.function.Function;
+import java.util.function.BiFunction;
 
 import reactor.util.annotation.NonNull;
 
@@ -29,6 +29,7 @@
 import org.springframework.security.core.annotation.SecurityAnnotationScanner;
 import org.springframework.security.core.annotation.SecurityAnnotationScanners;
 import org.springframework.util.Assert;
+import org.springframework.util.StringUtils;
 
 /**
  * For internal use only, as this contract is likely to change.
@@ -44,13 +45,13 @@ final class PostAuthorizeExpressionAttributeRegistry extends AbstractExpressionA
 	private final SecurityAnnotationScanner<HandleAuthorizationDenied> handleAuthorizationDeniedScanner = SecurityAnnotationScanners
 		.requireUnique(HandleAuthorizationDenied.class);
 
-	private Function<Class<? extends MethodAuthorizationDeniedHandler>, MethodAuthorizationDeniedHandler> handlerResolver;
+	private BiFunction<String, Class<? extends MethodAuthorizationDeniedHandler>, MethodAuthorizationDeniedHandler> handlerResolver;
 
 	private SecurityAnnotationScanner<PostAuthorize> postAuthorizeScanner = SecurityAnnotationScanners
 		.requireUnique(PostAuthorize.class);
 
 	PostAuthorizeExpressionAttributeRegistry() {
-		this.handlerResolver = (clazz) -> new ReflectiveMethodAuthorizationDeniedHandler(clazz,
+		this.handlerResolver = (beanName, clazz) -> new ReflectiveMethodAuthorizationDeniedHandler(clazz,
 				PostAuthorizeAuthorizationManager.class);
 	}
 
@@ -70,7 +71,7 @@ private MethodAuthorizationDeniedHandler resolveHandler(Method method, Class<?>
 		Class<?> targetClassToUse = targetClass(method, targetClass);
 		HandleAuthorizationDenied deniedHandler = this.handleAuthorizationDeniedScanner.scan(method, targetClassToUse);
 		if (deniedHandler != null) {
-			return this.handlerResolver.apply(deniedHandler.handlerClass());
+			return this.handlerResolver.apply(deniedHandler.handler(), deniedHandler.handlerClass());
 		}
 		return this.defaultHandler;
 	}
@@ -87,15 +88,18 @@ private PostAuthorize findPostAuthorizeAnnotation(Method method, Class<?> target
 	 */
 	void setApplicationContext(ApplicationContext context) {
 		Assert.notNull(context, "context cannot be null");
-		this.handlerResolver = (clazz) -> resolveHandler(context, clazz);
+		this.handlerResolver = (beanName, clazz) -> resolveHandler(context, beanName, clazz);
 	}
 
 	void setTemplateDefaults(AnnotationTemplateExpressionDefaults templateDefaults) {
 		this.postAuthorizeScanner = SecurityAnnotationScanners.requireUnique(PostAuthorize.class, templateDefaults);
 	}
 
-	private MethodAuthorizationDeniedHandler resolveHandler(ApplicationContext context,
+	private MethodAuthorizationDeniedHandler resolveHandler(ApplicationContext context, String beanName,
 			Class<? extends MethodAuthorizationDeniedHandler> handlerClass) {
+		if (StringUtils.hasText(beanName)) {
+			return context.getBean(beanName, MethodAuthorizationDeniedHandler.class);
+		}
 		if (handlerClass == this.defaultHandler.getClass()) {
 			return this.defaultHandler;
 		}
diff --git a/core/src/main/java/org/springframework/security/authorization/method/PreAuthorizeExpressionAttributeRegistry.java b/core/src/main/java/org/springframework/security/authorization/method/PreAuthorizeExpressionAttributeRegistry.java
@@ -18,7 +18,7 @@
 
 import java.lang.reflect.Method;
 import java.util.Arrays;
-import java.util.function.Function;
+import java.util.function.BiFunction;
 
 import org.springframework.context.ApplicationContext;
 import org.springframework.expression.Expression;
@@ -28,6 +28,7 @@
 import org.springframework.security.core.annotation.SecurityAnnotationScanner;
 import org.springframework.security.core.annotation.SecurityAnnotationScanners;
 import org.springframework.util.Assert;
+import org.springframework.util.StringUtils;
 
 /**
  * For internal use only, as this contract is likely to change.
@@ -43,13 +44,13 @@ final class PreAuthorizeExpressionAttributeRegistry extends AbstractExpressionAt
 	private final SecurityAnnotationScanner<HandleAuthorizationDenied> handleAuthorizationDeniedScanner = SecurityAnnotationScanners
 		.requireUnique(HandleAuthorizationDenied.class);
 
-	private Function<Class<? extends MethodAuthorizationDeniedHandler>, MethodAuthorizationDeniedHandler> handlerResolver;
+	private BiFunction<String, Class<? extends MethodAuthorizationDeniedHandler>, MethodAuthorizationDeniedHandler> handlerResolver;
 
 	private SecurityAnnotationScanner<PreAuthorize> preAuthorizeScanner = SecurityAnnotationScanners
 		.requireUnique(PreAuthorize.class);
 
 	PreAuthorizeExpressionAttributeRegistry() {
-		this.handlerResolver = (clazz) -> new ReflectiveMethodAuthorizationDeniedHandler(clazz,
+		this.handlerResolver = (beanName, clazz) -> new ReflectiveMethodAuthorizationDeniedHandler(clazz,
 				PreAuthorizeAuthorizationManager.class);
 	}
 
@@ -69,7 +70,7 @@ private MethodAuthorizationDeniedHandler resolveHandler(Method method, Class<?>
 		Class<?> targetClassToUse = targetClass(method, targetClass);
 		HandleAuthorizationDenied deniedHandler = this.handleAuthorizationDeniedScanner.scan(method, targetClassToUse);
 		if (deniedHandler != null) {
-			return this.handlerResolver.apply(deniedHandler.handlerClass());
+			return this.handlerResolver.apply(deniedHandler.handler(), deniedHandler.handlerClass());
 		}
 		return this.defaultHandler;
 	}
@@ -86,15 +87,18 @@ private PreAuthorize findPreAuthorizeAnnotation(Method method, Class<?> targetCl
 	 */
 	void setApplicationContext(ApplicationContext context) {
 		Assert.notNull(context, "context cannot be null");
-		this.handlerResolver = (clazz) -> resolveHandler(context, clazz);
+		this.handlerResolver = (beanName, clazz) -> resolveHandler(context, beanName, clazz);
 	}
 
 	void setTemplateDefaults(AnnotationTemplateExpressionDefaults defaults) {
 		this.preAuthorizeScanner = SecurityAnnotationScanners.requireUnique(PreAuthorize.class, defaults);
 	}
 
-	private MethodAuthorizationDeniedHandler resolveHandler(ApplicationContext context,
+	private MethodAuthorizationDeniedHandler resolveHandler(ApplicationContext context, String beanName,
 			Class<? extends MethodAuthorizationDeniedHandler> handlerClass) {
+		if (StringUtils.hasText(beanName)) {
+			return context.getBean(beanName, MethodAuthorizationDeniedHandler.class);
+		}
 		if (handlerClass == this.defaultHandler.getClass()) {
 			return this.defaultHandler;
 		}
diff --git a/core/src/test/java/org/springframework/security/authorization/method/PostAuthorizeAuthorizationManagerTests.java b/core/src/test/java/org/springframework/security/authorization/method/PostAuthorizeAuthorizationManagerTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,6 +26,7 @@
 import org.aopalliance.intercept.MethodInvocation;
 import org.junit.jupiter.api.Test;
 
+import org.springframework.beans.factory.NoSuchBeanDefinitionException;
 import org.springframework.context.support.GenericApplicationContext;
 import org.springframework.core.annotation.AnnotationConfigurationException;
 import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
@@ -179,6 +180,27 @@ public void checkWhenHandlerDeniedApplicationContextThenLooksForBean() throws Ex
 			.isThrownBy(() -> handleDeniedInvocationResult("methodOne", manager));
 	}
 
+	@Test
+	public void checkWhenHandlerDeniedApplicationContextHandlerSpecifiedThenLooksForBean() throws Exception {
+		GenericApplicationContext context = new GenericApplicationContext();
+		context.registerBean("deniedHandler", NoDefaultConstructorHandler.class,
+				() -> new NoDefaultConstructorHandler(new Object()));
+		context.refresh();
+		PostAuthorizeAuthorizationManager manager = new PostAuthorizeAuthorizationManager();
+		manager.setApplicationContext(context);
+		assertThat(handleDeniedInvocationResult("methodThree", manager)).isNull();
+	}
+
+	@Test
+	public void checkWhenHandlerDeniedApplicationContextHandlerSpecifiedThenLooksForBeanNotFound() {
+		GenericApplicationContext context = new GenericApplicationContext();
+		context.refresh();
+		PostAuthorizeAuthorizationManager manager = new PostAuthorizeAuthorizationManager();
+		manager.setApplicationContext(context);
+		assertThatExceptionOfType(NoSuchBeanDefinitionException.class)
+			.isThrownBy(() -> handleDeniedInvocationResult("methodThree", manager));
+	}
+
 	private Object handleDeniedInvocationResult(String methodName, PostAuthorizeAuthorizationManager manager)
 			throws Exception {
 		MethodInvocation invocation = new MockMethodInvocation(new UsingHandleDeniedAuthorization(),
@@ -279,6 +301,12 @@ public String methodTwo() {
 			return "ok";
 		}
 
+		@HandleAuthorizationDenied(handler = "deniedHandler")
+		@PostAuthorize("denyAll()")
+		public String methodThree() {
+			return "ok";
+		}
+
 	}
 
 	public static final class NullHandler implements MethodAuthorizationDeniedHandler {
diff --git a/core/src/test/java/org/springframework/security/authorization/method/PreAuthorizeAuthorizationManagerTests.java b/core/src/test/java/org/springframework/security/authorization/method/PreAuthorizeAuthorizationManagerTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -24,6 +24,7 @@
 import org.junit.jupiter.api.Test;
 
 import org.springframework.aop.TargetClassAware;
+import org.springframework.beans.factory.NoSuchBeanDefinitionException;
 import org.springframework.context.support.GenericApplicationContext;
 import org.springframework.core.annotation.AnnotationConfigurationException;
 import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
@@ -160,6 +161,27 @@ public void checkWhenHandlerDeniedApplicationContextThenLooksForBean() throws Ex
 			.isThrownBy(() -> handleDeniedInvocationResult("methodOne", manager));
 	}
 
+	@Test
+	public void checkWhenHandlerDeniedApplicationContextHandlerSpecifiedThenLooksForBean() throws Exception {
+		GenericApplicationContext context = new GenericApplicationContext();
+		context.registerBean("deniedHandler", NoDefaultConstructorHandler.class,
+				() -> new NoDefaultConstructorHandler(new Object()));
+		context.refresh();
+		PreAuthorizeAuthorizationManager manager = new PreAuthorizeAuthorizationManager();
+		manager.setApplicationContext(context);
+		assertThat(handleDeniedInvocationResult("methodThree", manager)).isNull();
+	}
+
+	@Test
+	public void checkWhenHandlerDeniedApplicationContextHandlerSpecifiedThenLooksForBeanNotFound() {
+		GenericApplicationContext context = new GenericApplicationContext();
+		context.refresh();
+		PreAuthorizeAuthorizationManager manager = new PreAuthorizeAuthorizationManager();
+		manager.setApplicationContext(context);
+		assertThatExceptionOfType(NoSuchBeanDefinitionException.class)
+			.isThrownBy(() -> handleDeniedInvocationResult("methodThree", manager));
+	}
+
 	private Object handleDeniedInvocationResult(String methodName, PreAuthorizeAuthorizationManager manager)
 			throws Exception {
 		MethodInvocation invocation = new MockMethodInvocation(new UsingHandleDeniedAuthorization(),
@@ -283,6 +305,12 @@ public String methodTwo() {
 			return "ok";
 		}
 
+		@HandleAuthorizationDenied(handler = "deniedHandler")
+		@PreAuthorize("denyAll()")
+		public String methodThree() {
+			return "ok";
+		}
+
 	}
 
 	public static final class NullHandler implements MethodAuthorizationDeniedHandler {
