AuthorizationManager should return AuthorizationResult

config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -32,8 +32,8 @@
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.authentication.AnonymousAuthenticationToken;
 import org.springframework.security.authentication.TestingAuthenticationToken;
-import org.springframework.security.authorization.AuthorizationDecision;
 import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.authorization.AuthorizationResult;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.web.DefaultSecurityFilterChain;
 import org.springframework.security.web.FilterChainProxy;
@@ -221,8 +221,8 @@ private boolean checkLoginPageIsPublic(List<Filter> filters, FilterInvocation lo
 			AuthorizationManager<HttpServletRequest> authorizationManager = authorizationFilter
 				.getAuthorizationManager();
 			try {
-				AuthorizationDecision decision = authorizationManager.check(() -> TEST, loginRequest.getHttpRequest());
-				return decision != null && decision.isGranted();
+				AuthorizationResult result = authorizationManager.authorize(() -> TEST, loginRequest.getHttpRequest());
+				return result != null && result.isGranted();
 			}
 			catch (Exception ex) {
 				return false;
@@ -252,8 +252,8 @@ private Supplier<Boolean> deriveAnonymousCheck(List<Filter> filters, FilterInvoc
 			return () -> {
 				AuthorizationManager<HttpServletRequest> authorizationManager = authorizationFilter
 					.getAuthorizationManager();
-				AuthorizationDecision decision = authorizationManager.check(() -> token, loginRequest.getHttpRequest());
-				return decision != null && decision.isGranted();
+				AuthorizationResult result = authorizationManager.authorize(() -> token, loginRequest.getHttpRequest());
+				return result != null && result.isGranted();
 			};
 		}
 		return () -> true;

config/src/main/java/org/springframework/security/config/method/PointcutDelegatingAuthorizationManager.java

@@ -25,6 +25,7 @@
 import org.springframework.aop.support.AopUtils;
 import org.springframework.security.authorization.AuthorizationDecision;
 import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.authorization.AuthorizationResult;
 import org.springframework.security.core.Authentication;
 
 class PointcutDelegatingAuthorizationManager implements AuthorizationManager<MethodInvocation> {
@@ -37,11 +38,24 @@ class PointcutDelegatingAuthorizationManager implements AuthorizationManager<Met
 
 	@Override
 	public AuthorizationDecision check(Supplier<Authentication> authentication, MethodInvocation object) {
+		AuthorizationResult result = authorize(authentication, object);
+		if (result == null) {
+			return null;
+		}
+		if (result instanceof AuthorizationDecision decision) {
+			return decision;
+		}
+		throw new IllegalArgumentException(
+				"Please either call authorize or ensure that the returned result is of type AuthorizationDecision");
+	}
+
+	@Override
+	public AuthorizationResult authorize(Supplier<Authentication> authentication, MethodInvocation object) {
 		for (Map.Entry<Pointcut, AuthorizationManager<MethodInvocation>> entry : this.managers.entrySet()) {
 			Class<?> targetClass = (object.getThis() != null) ? AopUtils.getTargetClass(object.getThis()) : null;
 			if (entry.getKey().getClassFilter().matches(targetClass)
 					&& entry.getKey().getMethodMatcher().matches(object.getMethod(), targetClass)) {
-				return entry.getValue().check(authentication, object);
+				return entry.getValue().authorize(authentication, object);
 			}
 		}
 		return new AuthorizationDecision(false);

config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java

@@ -75,6 +75,7 @@
 import org.springframework.security.authorization.AuthorizationDecision;
 import org.springframework.security.authorization.AuthorizationEventPublisher;
 import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.authorization.AuthorizationResult;
 import org.springframework.security.authorization.method.AuthorizationAdvisor;
 import org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory;
 import org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory.TargetVisitor;
@@ -110,6 +111,7 @@
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.atLeastOnce;
 import static org.mockito.Mockito.clearInvocations;
+import static org.mockito.Mockito.doCallRealMethod;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.never;
 import static org.mockito.Mockito.spy;
@@ -1293,6 +1295,8 @@ static class AuthorizationEventPublisherConfig {
 
 		@Bean
 		AuthorizationEventPublisher authorizationEventPublisher() {
+			doCallRealMethod().when(this.publisher)
+				.publishAuthorizationEvent(any(), any(), any(AuthorizationResult.class));
 			return this.publisher;
 		}
 

config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurerTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2023 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -42,6 +42,7 @@
 import org.springframework.security.authorization.AuthorizationEventPublisher;
 import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.authorization.AuthorizationObservationContext;
+import org.springframework.security.authorization.AuthorizationResult;
 import org.springframework.security.config.ObjectPostProcessor;
 import org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -78,6 +79,7 @@
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
 import static org.mockito.Mockito.any;
 import static org.mockito.Mockito.atLeastOnce;
+import static org.mockito.Mockito.doCallRealMethod;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.spy;
 import static org.mockito.Mockito.verify;
@@ -1241,6 +1243,8 @@ static class AuthorizationEventPublisherConfig {
 
 		@Bean
 		AuthorizationEventPublisher authorizationEventPublisher() {
+			doCallRealMethod().when(this.publisher)
+				.publishAuthorizationEvent(any(), any(), any(AuthorizationResult.class));
 			return this.publisher;
 		}
 

config/src/test/java/org/springframework/security/config/http/DefaultFilterChainValidatorTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -113,6 +113,7 @@ public void validateCheckLoginPageIsntProtectedThrowsIllegalArgumentException()
 	@Test
 	public void validateCheckLoginPageAllowsAnonymous() {
 		given(this.authorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(false));
+		given(this.authorizationManager.authorize(any(), any())).willCallRealMethod();
 		this.validator.validate(this.chainAuthorizationFilter);
 		verify(this.logger).warn("Anonymous access to the login page doesn't appear to be enabled. "
 				+ "This is almost certainly an error. Please check your configuration allows unauthenticated "

config/src/test/java/org/springframework/security/config/http/HttpConfigTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -91,6 +91,7 @@ public void getWhenUsingAuthorizationManagerThenRedirectsToLogin() throws Except
 		AuthorizationManager<HttpServletRequest> authorizationManager = this.spring.getContext()
 			.getBean(AuthorizationManager.class);
 		given(authorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(false));
+		given(authorizationManager.authorize(any(), any())).willCallRealMethod();
 		// @formatter:off
 		this.mvc.perform(get("/"))
 				.andExpect(status().isFound())

config/src/test/java/org/springframework/security/config/method/InterceptMethodsBeanDefinitionDecoratorTests.java

@@ -168,6 +168,7 @@ public void transactionalAuthorizationManagerMethodsShouldBeSecured() {
 
 	@Test
 	public void targetCustomAuthorizationManagerUsed() {
+		given(this.mockAuthorizationManager.authorize(any(), any())).willCallRealMethod();
 		given(this.mockAuthorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(true));
 		this.targetCustomAuthorizationManager.doSomething();
 		verify(this.mockAuthorizationManager).check(any(), any());

config/src/test/java/org/springframework/security/config/websocket/WebSocketMessageBrokerConfigTests.java

@@ -514,6 +514,7 @@ public void sendWhenCustomAuthorizationManagerThenAuthorizesAccordingly() {
 		AuthorizationManager<Message<?>> authorizationManager = this.spring.getContext()
 			.getBean(AuthorizationManager.class);
 		given(authorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(false));
+		given(authorizationManager.authorize(any(), any())).willCallRealMethod();
 		Message<?> message = message("/any");
 		assertThatExceptionOfType(Exception.class).isThrownBy(send(message))
 			.withCauseInstanceOf(AccessDeniedException.class);

core/src/main/java/org/springframework/security/authorization/AuthorityAuthorizationManager.java

@@ -139,7 +139,9 @@ private static String[] toNamedRolesArray(String rolePrefix, String[] roles) {
 	 * @param authentication the {@link Supplier} of the {@link Authentication} to check
 	 * @param object the {@link T} object to check
 	 * @return an {@link AuthorizationDecision}
+	 * @deprecated please use {@link #authorize(Supplier, Object)} instead
 	 */
+	@Deprecated
 	@Override
 	public AuthorizationDecision check(Supplier<Authentication> authentication, T object) {
 		return this.delegate.check(authentication, this.authorities);

core/src/main/java/org/springframework/security/authorization/AuthorizationEventPublisher.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -42,8 +42,37 @@ public interface AuthorizationEventPublisher {
 	 * @param object the secured object
 	 * @param decision the decision about whether the user may access the secured object
 	 * @param <T> the secured object's type
+	 * @deprecated use
+	 * {@link #publishAuthorizationEvent(Supplier, Object, AuthorizationResult)} instead
 	 */
+	@Deprecated
 	<T> void publishAuthorizationEvent(Supplier<Authentication> authentication, T object,
 			AuthorizationDecision decision);
 
+	/**
+	 * Publish the given details in the form of an event, typically
+	 * {@link AuthorizationGrantedEvent} or {@link AuthorizationDeniedEvent}.
+	 *
+	 * Note that success events can be very noisy if enabled by default. Because of this
+	 * implementations may choose to drop success events by default.
+	 * @param authentication a {@link Supplier} for the current user
+	 * @param object the secured object
+	 * @param result {@link AuthorizationResult} the result about whether the user may
+	 * access the secured object
+	 * @param <T> the secured object's type
+	 * @since 6.4
+	 */
+	default <T> void publishAuthorizationEvent(Supplier<Authentication> authentication, T object,
+			AuthorizationResult result) {
+		if (result == null) {
+			publishAuthorizationEvent(authentication, object, null);
+			return;
+		}
+		if (result instanceof AuthorizationDecision decision) {
+			publishAuthorizationEvent(authentication, object, decision);
+			return;
+		}
+		throw new UnsupportedOperationException("result must be of type AuthorizationDecision");
+	}
+
 }

core/src/main/java/org/springframework/security/authorization/AuthorizationManager.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2020 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -50,8 +50,23 @@ default void verify(Supplier<Authentication> authentication, T object) {
 	 * @param authentication the {@link Supplier} of the {@link Authentication} to check
 	 * @param object the {@link T} object to check
 	 * @return an {@link AuthorizationDecision} or null if no decision could be made
+	 * @deprecated please use {@link #authorize(Supplier, Object)} instead
 	 */
 	@Nullable
+	@Deprecated
 	AuthorizationDecision check(Supplier<Authentication> authentication, T object);
 
+	/**
+	 * Determines if access is granted for a specific authentication and object.
+	 * @param authentication the {@link Supplier} of the {@link Authentication} to
+	 * authorize
+	 * @param object the {@link T} object to authorize
+	 * @return an {@link AuthorizationResult}
+	 * @since 6.4
+	 */
+	@Nullable
+	default AuthorizationResult authorize(Supplier<Authentication> authentication, T object) {
+		return check(authentication, object);
+	}
+
 }