Spring Security Provide Runtime Hints for objects authorized by @AuthorizeReturnObject

Related to #14652

Native applications currently need to manually register their authorization proxy classes using a BeanFactoryInitializationAotProcessor like so:

public class AuthorizationProxyFactoryAotProcessor implements BeanFactoryInitializationAotProcessor {

    @Override
    public BeanFactoryInitializationAotContribution processAheadOfTime(ConfigurableListableBeanFactory beanFactory) {
        return new AuthorizationProxyFactoryAotContribution(beanFactory);
    }

    private static final class AuthorizationProxyFactoryAotContribution implements BeanFactoryInitializationAotContribution {

        private final ConfigurableListableBeanFactory beanFactory;

        private AuthorizationProxyFactoryAotContribution(ConfigurableListableBeanFactory beanFactory) {
            this.beanFactory = beanFactory;
        }

        @Override
        public void applyTo(GenerationContext generationContext,
                BeanFactoryInitializationCode beanFactoryInitializationCode) {
            registerProxyClass(generationContext.getRuntimeHints().reflection(), Message.class);
            registerProxyClass(generationContext.getRuntimeHints().reflection(), User.class);
            // ...
        }

        private void registerProxyClass(ReflectionHints reflection, Class<?> clazz) {
            AuthorizationProxyFactory proxyFactory = this.beanFactory.getBean(AuthorizationProxyFactory.class);
            Class<?> proxied = (Class<?>) proxyFactory.proxy(clazz);            
            reflection.registerType(proxied, MemberCategory.INVOKE_PUBLIC_METHODS, MemberCategory.PUBLIC_FIELDS);
        }

    }

}

It would be nice to remove this need, either by scanning the classpath for @AuthorizeReturnObject usage and/or by introducing an API where security-specific proxy hints can be specified.

Some things that should be considered:

• [ ] Adding a Data-specific AotProcessor that inspects the generic types for beans of type RepositoryFactoryBeanSupport that use @AuthorizeReturnObject
• [ ] Adding an AotProcessor that inspects the return values of bean methods that use @AuthorizeReturnObject, traversing the return type's object graph for any nested authorized return objects
• [ ] Adding a way to directly indicate non-bean types that Security should proxy