org.springframework.security.config.annotation.web.configurers.ExceptionHandlingConfigurer#createDefaultAccessDeniedHandler has this implementation:
LinkedHashMap<RequestMatcher, AccessDeniedHandler> defaultDeniedHandlerMappings
private AccessDeniedHandler createDefaultAccessDeniedHandler(H http) {
if (this.defaultDeniedHandlerMappings.isEmpty()) {
return new AccessDeniedHandlerImpl();
}
if (this.defaultDeniedHandlerMappings.size() == 1) {
return this.defaultDeniedHandlerMappings.values().iterator().next();
}
return new RequestMatcherDelegatingAccessDeniedHandler(this.defaultDeniedHandlerMappings,
new AccessDeniedHandlerImpl());
}I'd propose that special case for this.defaultDeniedHandlerMappings.size() == 1 is not intuitive, because defaultDeniedHandlerMappings is always added for a specific RequestMatcher.
- If I don't add a handler for a request matcher, then
AccessDeniedHandlerImpl is always used.
- If I add two handlers for request matchers, then
AccessDeniedHandlerImpl is used when those matchers don't match
- If I add exactly one handler for a request matcher, then that handler is also used when its request matcher does not match
I assume the reason is backwards compatibility rather than design choice?
Sorry if it has been reported before.
org.springframework.security.config.annotation.web.configurers.ExceptionHandlingConfigurer#createDefaultAccessDeniedHandlerhas this implementation:I'd propose that special case for
this.defaultDeniedHandlerMappings.size() == 1is not intuitive, becausedefaultDeniedHandlerMappingsis always added for a specific RequestMatcher.AccessDeniedHandlerImplis always used.AccessDeniedHandlerImplis used when those matchers don't matchI assume the reason is backwards compatibility rather than design choice?
Sorry if it has been reported before.