Placing @AuthorizeReturnObject on a method that returns ResponseEntity is limiting since the user doesn't have access to ResponseEntity to add the appropriate Security annotations.

14717 will add support for applying Security configuration to third-party components. As part of that, Security should consider providing a mixin for Spring Web container objects like `ResponseEntity` and `ModelAndView`.

Comment From: evgeniycheban

Hi, @jzheaux can I work on this?

Spring Security AuthorizeReturnObject should target the authorized object within MVC return values

14717 will add support for applying Security configuration to third-party components. As part of that, Security should consider providing a mixin for Spring Web container objects like ResponseEntity and ModelAndView.

14717 will add support for applying Security configuration to third-party components. As part of that, Security should consider providing a mixin for Spring Web container objects like `ResponseEntity` and `ModelAndView`.