spring-projects / spring-security

Spring Security

Home Page:http://spring.io/projects/spring-security

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Directly including a custom error message within the @PreAuthorize

dzulic opened this issue · comments

Custom method for has permissions is being invoked in PreAuthorize. Method customHasPermission checks for the permission in the token and returns true/false.
@PreAuthorize("@authService.customHasPermission('permission')")

Expected Behavior

Have thrown exception message if hasPermission is false with custom message with permission name
Some suggestions would be having:

  • Enabled message argument in the @PreAuthorize that AccessDeniedException can handle
  • Or throwing a custom exception in customHasPermission

Current Behavior

  • No possibility to extend AccessDeniedException with @PreAuthorization specific method params

Context

Trying to pass permission string to the AccessDeniedException so it can return custom message

Hi @dzulic ! Have you tried using @HandleAuthorizationDenied? Perhaps it will solve your problem.

@CrazyParanoid Hi, thanks for the reply. I haven't as I see it is in 6.3.0 and still in development, but I will check

currently I found a workaround, throwing AccessDeniedException in the customHasPermission method, which is then handled in the PreAuthorization correctly

Thanks, @dzulic for reaching out and @CrazyParanoid for sharing about the new feature.

Since this has been brought up previously in #3306, I'll close this ticket and encourage continuing the conversation over there.