It would be nice if AuthorizationFailureEvent and AuthorizedEvent each held a reference to the AuthorizationDecision that was made.

The new constructor should not take a Collection of ConfigAttributes.

Comment From: parikshitdutta

Thanks @jzheaux for assigning #9288 and pointing me to this one.

I was thinking to keep reference of Authentication in event classes. To my understanding, AuthorizationSuccessEvent should be raised if AuthorizationDecision.isGranted(), otherwise AuthorizationFailureEvent should be raised.

I mean, either it is granted or not, there is nothing more in AuthorizationDecision.

While wrapping Authentication in events can help in passing GrantedAuthority, Principal, for which either AuthorizationDecision is granted or not, determined with success or failure event respectively.

Please share your thought.

Comment From: jzheaux

I mean, either it is granted or not, there is nothing more in AuthorizationDecision.

Since AuthorizationDecision can be subclassed, we can't say that there is nothing more in it.

For example, if you take a look at https://github.com/spring-projects/spring-security/issues/9287, there's value in including the reasons that an authorization decision was made.

Comment From: parikshitdutta

Since AuthorizationDecision can be subclassed, we can't say that there is nothing more in it.

Totally! as an after-thought I knew it coming :), thanks for sharing your thought. Please assign this to me as well.