Spring Security Directly including a custom error message within the @PreAuthorize

Custom method for has permissions is being invoked in PreAuthorize. Method customHasPermission checks for the permission in the token and returns true/false. @PreAuthorize("@authService.customHasPermission('permission')")

Expected Behavior

Have thrown exception message if hasPermission is false with custom message with permission name Some suggestions would be having: - Enabled message argument in the @PreAuthorize that AccessDeniedException can handle - Or throwing a custom exception in customHasPermission

Current Behavior

• No possibility to extend AccessDeniedException with @PreAuthorization specific method params

Context

Trying to pass permission string to the AccessDeniedException so it can return custom message

Comment From: franticticktick

Hi @dzulic ! Have you tried using @HandleAuthorizationDenied? Perhaps it will solve your problem.

Comment From: dzulic

@CrazyParanoid Hi, thanks for the reply. I haven't as I see it is in 6.3.0 and still in development, but I will check

currently I found a workaround, throwing AccessDeniedException in the customHasPermission method, which is then handled in the PreAuthorization correctly

Comment From: jzheaux

Thanks, @dzulic for reaching out and @CrazyParanoid for sharing about the new feature.

Since this has been brought up previously in https://github.com/spring-projects/spring-security/issues/3306, I'll close this ticket and encourage continuing the conversation over there.