Skip to content

Exceptions for Authorized Objects should propagate when returned from a Controller #16058

New issue
New issue
Closed
#17074
Closed
Exceptions for Authorized Objects should propagate when returned from a Controller#16058
#17074
Assignees
evgeniycheban
Milestone
7.0.x
@jzheaux

Description

@jzheaux
jzheaux
opened on Nov 11, 2024

When using @AuthorizeReturnObject on a controller method like so:

@AuthorizeReturnObject
@GetMapping(...)
public MyObject getObject() {
    return ...
}

Any unhandled authorization failures are not propagated to the ExceptionTranslationFilter and instead result in a 500.

Security currently supports using @HandleAuthorizationDenied to provide behavior like ignoring that field when the response is serialized. However, it would be helpful to be able to leverage the logic in ExceptionTranslationFilter, including calling any configured AccessDeniedHandler.

One way to do this may be to provide an implementation of AbstractView that is used by a default exception handler. It would ideally have a similar effect to:

@ExceptionHandler(HttpMessageNotWritableException.class)
View handleWrite(HttpMessageNotWritableException ex) {
    if (ex.getRootCause() instanceof AuthorizationDeniedException denied) {
       return new AbstractView() {
          @Override
          protected void renderMergedOutputModel(Map<String, Object> model,
                HttpServletRequest request, HttpServletResponse response)
                throws Exception {
             throw ex;
          }
       };
    }
    throw ex;
}

but without applications needing to register it.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions