Spring Security Add Reasons to AuthorizationDecisions

It's helpful to know why a security decision was made.

AuthorityReactiveAuthorizationManager and AuthorityAuthorizationManager could do this by constructing an AuthorityAuthorizationDecision:

public class AuthorityAuthorizationManager implements AuthorizationManager {
    // ...

    public static class AuthorityAuthorizationDecision extends AuthorizationDecision {
        private Collection<GrantedAuthority> authorities;

        public AuthorityAuthorizationDecision(boolean decision, GrantedAuthority... authorities) {
            super(decision);
            // ...
        }

        public Collection<GrantedAuthority> getAuthorities() { 
            return this.authorities;
        }
    }
}

Likewise with AuthenticatedReactiveAuthorizationManager, AuthenticatedAuthorizationManager and AuthenticatedAuthorizationDecision.

Each implementation would likely need to override toString to assist with logging authorization events.

Comment From: rwinch

What is the concrete use case for this?

Comment From: jzheaux

I was thinking of event logging. It's helpful in logs to know why access was granted to a resource, for example.

Initially, I was thinking of combining this ticket with #9286. Your question may be a hint that they go together.