AuthorizeReturnObject should target the authorized object within MVC return values #16059

jzheaux · 2024-11-11T17:48:39Z

Placing @AuthorizeReturnObject on a method that returns ResponseEntity is limiting since the user doesn't have access to ResponseEntity to add the appropriate Security annotations.

#14717 will add support for applying Security configuration to third-party components. As part of that, Security should consider providing a mixin for Spring Web container objects like ResponseEntity and ModelAndView.

The text was updated successfully, but these errors were encountered:

evgeniycheban · 2024-11-22T00:05:24Z

Hi, @jzheaux can I work on this?

jzheaux mentioned this issue Nov 11, 2024

Improve Integration between Authorized Objects and Spring MVC #16057

Open

2 tasks

jzheaux changed the title ~~Object Authorization should be enforced when wrapped in MVC return values~~ AuthorizeReturnObject should target the authorized object within MVC return values Nov 11, 2024

jzheaux closed this as completed in 09ba539 Apr 10, 2025

jzheaux self-assigned this Apr 21, 2025

jzheaux added in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement labels Apr 21, 2025

jzheaux added this to the 6.5.0-RC1 milestone Apr 21, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

AuthorizeReturnObject should target the authorized object within MVC return values #16059

AuthorizeReturnObject should target the authorized object within MVC return values #16059

jzheaux commented Nov 11, 2024 •

edited

Loading

evgeniycheban commented Nov 22, 2024

AuthorizeReturnObject should target the authorized object within MVC return values #16059

AuthorizeReturnObject should target the authorized object within MVC return values #16059

Comments

jzheaux commented Nov 11, 2024 • edited Loading

evgeniycheban commented Nov 22, 2024

jzheaux commented Nov 11, 2024 •

edited

Loading