Related to https://github.com/spring-projects/spring-security/issues/15746
Given that authorized objects use setOpaque, there isn't a straightforward way to get the underlying object, in case that is needed.
A way to address this is to add a marker interface, say AuthorizationProxy, that has a JSON-ignored method to retrieve the underlying object, like so:
public interface AuthorizationProxy extends RawTargetAccess {
Object toAuthorizedTarget();
}
Then other AOP components could retrieve the underlying object of anything that implements AuthorizationProxy.
Spring Data has done this in another way with its TargetAware interface, though if Security were to go this route, it would likely apply the @JsonIngore values through a mixin.