Add Reasons to AuthorizationDecisions #9287
Description
It's helpful to know why a security decision was made.
AuthorityReactiveAuthorizationManager and AuthorityAuthorizationManager could do this by constructing an AuthorityAuthorizationDecision:
public class AuthorityAuthorizationManager implements AuthorizationManager {
// ...
public static class AuthorityAuthorizationDecision extends AuthorizationDecision {
private Collection<GrantedAuthority> authorities;
public AuthorityAuthorizationDecision(boolean decision, GrantedAuthority... authorities) {
super(decision);
// ...
}
public Collection<GrantedAuthority> getAuthorities() {
return this.authorities;
}
}
}Likewise with AuthenticatedReactiveAuthorizationManager, AuthenticatedAuthorizationManager and AuthenticatedAuthorizationDecision.
Each implementation would likely need to override toString to assist with logging authorization events.