Update AuthorizeReturnObject Jackson Docs
Now instructs to use MethodAuthorizationDeniedHandler Issue gh-14601
This commit is contained in:
Josh Cummings
parent
fd05c5ad76
commit
add5c56136
|
|
@ -2227,7 +2227,7 @@ class UserController {
|
|||
----
|
||||
======
|
||||
|
||||
Finally, you will need to publish a <<custom_advice, custom interceptor>> to catch the `AccessDeniedException` thrown for each field, which you can do like so:
|
||||
You will need to <<fallback-values-authorization-denied,add a `MethodAuthorizationDeniedHandler`>> like this one:
|
||||
|
||||
[tabs]
|
||||
======
|
||||
|
|
@ -2236,32 +2236,18 @@ Java::
|
|||
[source,java,role="primary"]
|
||||
----
|
||||
@Component
|
||||
public class AccessDeniedExceptionInterceptor implements AuthorizationAdvisor {
|
||||
private final AuthorizationAdvisor advisor = AuthorizationManagerBeforeMethodInterceptor.preAuthorize();
|
||||
|
||||
public class Null implements MethodAuthorizationDeniedHandler {
|
||||
@Override
|
||||
public Object invoke(MethodInvocation invocation) throws Throwable {
|
||||
try {
|
||||
return invocation.proceed();
|
||||
} catch (AccessDeniedException ex) {
|
||||
public Object handleDeniedInvocation(MethodInvocation methodInvocation, AuthorizationResult authorizationResult) {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public Pointcut getPointcut() {
|
||||
return this.advisor.getPointcut();
|
||||
}
|
||||
// ...
|
||||
|
||||
@Override
|
||||
public Advice getAdvice() {
|
||||
return this;
|
||||
}
|
||||
|
||||
@Override
|
||||
public int getOrder() {
|
||||
return this.advisor.getOrder() - 1;
|
||||
}
|
||||
@HandleAuthorizationDenied(handlerClass = Null.class)
|
||||
public class User {
|
||||
...
|
||||
}
|
||||
----
|
||||
|
||||
|
|
@ -2270,26 +2256,17 @@ Kotlin::
|
|||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@Component
|
||||
class AccessDeniedExceptionInterceptor: AuthorizationAdvisor {
|
||||
var advisor: AuthorizationAdvisor = AuthorizationManagerBeforeMethodInterceptor.preAuthorize()
|
||||
|
||||
@Throws(Throwable::class)
|
||||
fun invoke(invocation: MethodInvocation): Any? {
|
||||
return try {
|
||||
invocation.proceed()
|
||||
} catch (ex:AccessDeniedException) {
|
||||
null
|
||||
class Null : MethodAuthorizationDeniedHandler {
|
||||
override fun handleDeniedInvocation(methodInvocation: MethodInvocation?, authorizationResult: AuthorizationResult?): Any? {
|
||||
return null
|
||||
}
|
||||
}
|
||||
|
||||
val pointcut: Pointcut
|
||||
get() = advisor.getPointcut()
|
||||
// ...
|
||||
|
||||
val advice: Advice
|
||||
get() = this
|
||||
|
||||
val order: Int
|
||||
get() = advisor.getOrder() - 1
|
||||
@HandleAuthorizationDenied(handlerClass = Null.class)
|
||||
open class User {
|
||||
...
|
||||
}
|
||||
----
|
||||
======
|
||||
|
|
@ -2317,7 +2294,7 @@ And if they do have that authority, they'll see:
|
|||
|
||||
[TIP]
|
||||
====
|
||||
You can also add the Spring Boot property `spring.jackson.default-property-inclusion=non_null` to exclude the null value, if you also don't want to reveal the JSON key to an unauthorized user.
|
||||
You can also add the Spring Boot property `spring.jackson.default-property-inclusion=non_null` to exclude the null value from serialization, if you also don't want to reveal the JSON key to an unauthorized user.
|
||||
====
|
||||
|
||||
[[fallback-values-authorization-denied]]
|
||||
|
|
|
|||
Loading…
Reference in New Issue