Skip to content

Exceptions for Authorized Objects should propagate when returned from a Controller #17074

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Exceptions for Authorized Objects should propagate when returned from a Controller #17074

wants to merge 1 commit into from

Conversation

evgeniycheban
Copy link
Contributor

Closes gh-16058

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label May 8, 2025
@evgeniycheban evgeniycheban force-pushed the gh-16058 branch 4 times, most recently from 5e6afe3 to fb85470 Compare May 8, 2025 16:02
@jzheaux jzheaux self-requested a review May 13, 2025 18:52
jzheaux
jzheaux requested changes May 13, 2025
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice solution, @evgeniycheban! I've left a piece of feedback inline.

...work/security/config/annotation/method/configuration/AuthorizationProxyWebConfiguration.java Outdated

@Bean
@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
AuthorizationAdvisorProxyFactory.TargetVisitor webTargetVisitor() {
return new WebTargetVisitor();
}

@Override
public void extendHandlerExceptionResolvers(List<HandlerExceptionResolver> resolvers) {
resolvers.add(0, new HttpMessageNotWritableAccessDeniedExceptionResolver());
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One thing that concerns me is that this might break applications that have an @ExceptionHandler for AccessDeniedException-caused HttpMessageNotWritableException already.

Further, it would be nice if there were a clear way for applications to override Security's default handling of this scenario.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I implemented a fix for this scenario by finding the DefaultHandlerExceptionResolver's index and adding Security's ExceptionResolver before the default resolver. This way user-defined @ExceptionHandler will always take precedence and try to resolve an exception first since the ExceptionHandlerExceptionResolver is added before the extendHandlerExceptionResolvers method call. I think we could also consider providing a configuration option to control wether Spring Security should handle this type of scenario or not.

@jzheaux jzheaux self-assigned this May 13, 2025
@jzheaux jzheaux added the type: enhancement A general enhancement label May 13, 2025
@jzheaux jzheaux added this to the 7.0.x milestone May 13, 2025
@jzheaux jzheaux added in: web An issue in web modules (web, webmvc) and removed status: waiting-for-triage An issue we've not yet triaged labels May 13, 2025
@evgeniycheban
Copy link
Contributor Author

Hi @jzheaux I updated the PR, according to your feedback, thanks.

@evgeniycheban evgeniycheban requested a review from jzheaux May 14, 2025 03:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jzheaux jzheaux Awaiting requested review from jzheaux

Assignees

@jzheaux jzheaux

Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Projects
None yet
Milestone
7.0.x
Development

Successfully merging this pull request may close these issues.

Exceptions for Authorized Objects should propagate when returned from a Controller
3 participants
@evgeniycheban @jzheaux @spring-projects-issues