Spring Security Allow MethodSecurityInterceptor.publishAuthorizationSuccess to be configured

Expected Behavior

Be able to configure MethodSecurityInterceptor to publish AuthorizedEvent. I've noticed that here it is suggested to use ObjectPostProcessor to configure FilterSecurityInterceptor in the same way.

I propose to use the same ObjectPostProcessor approach for MethodSecurityInterceptor at the point of bean creation here.

Current Behavior

The only way to configure MethodSecurityInterceptor that I found so far is through BeanPostProcessor which, I believe, isn't intended.

Context

I'm trying to build an authorization audit log to keep track of users and roles they actually use vs what is defined on a company level to optimise the setup over time.

I've noticed that there is no way to configure MethodSecurityInterceptor and thought that there's a simple fix so worth contributing.

If there's an another solution I haven't thought of - please suggest :) I've also asked on StackOverflow to no avail.

Comment From: jzheaux

Any changes should wait until https://github.com/spring-projects/spring-security/pull/9630 is merged.

Comment From: Angelys

From what I can see, #9630 isn't changing GlobalMethodSecurityConfiguration class (where MethodSecurityInterceptor is created) nor it is changing the MethodSecurityInterceptor itself. So, just to be sure, the part that I'm concerned about is meant to stay the same and the problem I mentioned isn't addressed in that PR either, right?

What do you think in terms of the best solution for the problem of MethodSecurityInterceptor not being exposed to any means of configuration?

Comment From: jzheaux

Sorry, I could have said that more clearly, @Angelys.

Since what #9630 introduces will likely supercede GlobalMethodSecurityConfiguration, it's more likely that we'd focus efforts on enhancing the new method security API with the described feature.

In case other community members need the same capability in the meantime, would you be able to post the code snippet you wrote to make this happen in your application?

Comment From: Angelys

I see, thank you for the information!

This is how I configured the MethodSecurityInterceptor

@Component
public class MethodSecurityInterceptorPostProcessor implements BeanPostProcessor {

    public Object postProcessAfterInitialization(Object bean, String beanName) throws BeansException {
        if (bean instanceof MethodSecurityInterceptor) {
            ((MethodSecurityInterceptor) bean).setPublishAuthorizationSuccess(true);
        }
        return bean;
    }
}