or run

npx @tessl/cli init
Log in

Version

Tile

Overview

Evals

Files

docs

aot-native-support.mdauthentication-core.mdauthentication-events.mdauthentication-management.mdauthentication-tokens.mdauthorities.mdauthorization.mdcompromised-password.mdconcurrent-async.mddao-authentication.mdexpression-access-control.mdindex.mdjaas-authentication.mdjackson-serialization.mdmethod-security.mdobservation-metrics.mdone-time-tokens.mdprovisioning.mdsecurity-context.mdsession-management.mduser-details.md
tile.json

authorization.mddocs/

Authorization

Authorization in Spring Security Core provides a comprehensive framework for making access control decisions. This includes both imperative and reactive authorization managers, decision objects, and various built-in authorization strategies.

Key Information for Agents

Core Capabilities:

  • AuthorizationManager - Main interface for authorization decisions
  • ReactiveAuthorizationManager - Reactive version for WebFlux
  • AuthorizationDecision - Result of authorization check (granted/denied)
  • AuthorizationResult - Extended result with additional metadata
  • Built-in managers: AuthorityAuthorizationManager, AuthenticatedAuthorizationManager, AllAuthoritiesAuthorizationManager, AllRequiredFactorsAuthorizationManager
  • AuthorizationManagers - Utility for combining managers (anyOf, allOf)
  • ObservationAuthorizationManager - Micrometer observation support

Key Interfaces and Classes:

  • AuthorizationManager<T> - Interface: check(Supplier<Authentication>, T)
  • ReactiveAuthorizationManager<T> - Interface: check(Mono<Authentication>, T)
  • AuthorizationDecision - Class: isGranted(), getAttributes()
  • AuthorizationResult - Class: isGranted(), getAuthorities(), getFactors()
  • AuthorityAuthorizationManager - Checks for specific authorities
  • AuthenticatedAuthorizationManager - Checks authentication state
  • AllAuthoritiesAuthorizationManager - Requires all specified authorities
  • AllRequiredFactorsAuthorizationManager - Requires all specified factors
  • AuthorizationManagers - Static utilities for combining managers
  • ObservationAuthorizationManager - Wraps manager with observation

Default Behaviors:

  • AuthorizationDecision defaults to denied (granted=false)
  • AuthorityAuthorizationManager requires any of the specified authorities
  • AuthenticatedAuthorizationManager checks if user is authenticated
  • AllAuthoritiesAuthorizationManager requires all specified authorities
  • AllRequiredFactorsAuthorizationManager requires all specified factors
  • AuthorizationManagers.anyOf() grants if any manager grants
  • AuthorizationManagers.allOf() grants only if all managers grant

Threading Model:

  • Authorization managers are stateless (thread-safe)
  • AuthorizationDecision is immutable (thread-safe)
  • Reactive managers work with Mono<Authentication>

Lifecycle:

  • Managers configured once and reused
  • Decisions made per-request/operation

Exceptions:

  • None thrown by core authorization framework (returns denied decision)

Edge Cases:

  • Null authentication: Returns denied decision
  • Empty authorities: AuthorityAuthorizationManager denies
  • Multiple factors: AllRequiredFactorsAuthorizationManager requires all
  • Combined managers: anyOf/allOf short-circuit appropriately
  • Observation: Wraps any manager without changing behavior

Core Interfaces

AuthorizationManager

Main interface for making authorization decisions. Implementations check whether an authenticated user has access to a specific object.

package org.springframework.security.authorization;

interface AuthorizationManager<T> {
    @Nullable AuthorizationDecision check(
        Supplier<Authentication> authentication,
        T object);
}

Key Methods:

@Nullable AuthorizationDecision check(
    Supplier<Authentication> authentication,
    T object)
  • Checks authorization for the given authentication and object.
  • Returns AuthorizationDecision if a decision can be made, null otherwise.
  • The Supplier<Authentication> allows lazy evaluation of authentication.

Generic Type:

  • T - The type of object being authorized (e.g., RequestAuthorizationContext, MethodInvocation)

Example:

AuthorizationManager<RequestAuthorizationContext> manager = ...;
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
AuthorizationDecision decision = manager.check(() -> auth, context);

if (decision != null && decision.isGranted()) {
    // Access granted
} else {
    // Access denied
}

ReactiveAuthorizationManager

Reactive version of AuthorizationManager for use in reactive applications (WebFlux).

package org.springframework.security.authorization;

interface ReactiveAuthorizationManager<T> {
    Mono<AuthorizationDecision> check(
        Mono<Authentication> authentication,
        T object);
}

Key Methods:

Mono<AuthorizationDecision> check(
    Mono<Authentication> authentication,
    T object)
  • Checks authorization reactively.
  • Returns a Mono that emits the authorization decision.

Example:

ReactiveAuthorizationManager<RequestAuthorizationContext> manager = ...;
Mono<Authentication> auth = ReactiveSecurityContextHolder.getContext()
    .map(SecurityContext::getAuthentication);

Mono<AuthorizationDecision> decision = manager.check(auth, context);

decision
    .filter(AuthorizationDecision::isGranted)
    .switchIfEmpty(Mono.error(new AccessDeniedException("Access denied")))
    .block();

Decision Objects

AuthorizationDecision

Represents the result of an authorization check.

package org.springframework.security.authorization;

class AuthorizationDecision {
    AuthorizationDecision(boolean granted);
    AuthorizationDecision(boolean granted, Map<String, Object> attributes);

    boolean isGranted();
    Map<String, Object> getAttributes();
}

Constructors:

AuthorizationDecision(boolean granted)
  • Creates a decision with the specified granted status.
AuthorizationDecision(boolean granted, Map<String, Object> attributes)
  • Creates a decision with granted status and additional attributes.

Key Methods:

boolean isGranted()
  • Returns true if access is granted, false otherwise.
Map<String, Object> getAttributes()
  • Returns additional attributes associated with the decision (may be empty, never null).

Constants:

static final AuthorizationDecision GRANTED = new AuthorizationDecision(true);
static final AuthorizationDecision DENIED = new AuthorizationDecision(false);

Example:

// Simple granted decision
AuthorizationDecision granted = new AuthorizationDecision(true);

// Decision with attributes
Map<String, Object> attrs = new HashMap<>();
attrs.put("reason", "User has admin role");
attrs.put("priority", 1);
AuthorizationDecision decision = new AuthorizationDecision(true, attrs);

// Using constants
AuthorizationDecision allow = AuthorizationDecision.GRANTED;
AuthorizationDecision deny = AuthorizationDecision.DENIED;

// Check decision
if (decision.isGranted()) {
    Map<String, Object> metadata = decision.getAttributes();
    // Process metadata
}

AuthorizationResult

Extended authorization result that includes information about authorities and factors used in the decision.

package org.springframework.security.authorization;

class AuthorizationResult {
    AuthorizationResult(boolean granted);
    AuthorizationResult(
        boolean granted,
        Collection<? extends GrantedAuthority> authorities,
        Collection<String> factors);

    boolean isGranted();
    Collection<? extends GrantedAuthority> getAuthorities();
    Collection<String> getFactors();
}

Constructors:

AuthorizationResult(boolean granted)
  • Creates a result with the specified granted status.
AuthorizationResult(
    boolean granted,
    Collection<? extends GrantedAuthority> authorities,
    Collection<String> factors)
  • Creates a result with granted status, authorities, and factors.

Key Methods:

boolean isGranted()
  • Returns true if access is granted.
Collection<? extends GrantedAuthority> getAuthorities()
  • Returns the authorities that contributed to this decision.
Collection<String> getFactors()
  • Returns the authentication factors that contributed to this decision.

Example:

Collection<GrantedAuthority> authorities =
    AuthorityUtils.createAuthorityList("ROLE_ADMIN", "ROLE_USER");
Collection<String> factors = Arrays.asList("PASSWORD", "OTP");

AuthorizationResult result = new AuthorizationResult(
    true,
    authorities,
    factors
);

if (result.isGranted()) {
    Collection<? extends GrantedAuthority> usedAuthorities =
        result.getAuthorities();
    Collection<String> usedFactors = result.getFactors();
    // Process authorities and factors
}

Built-in Authorization Managers

AuthorityAuthorizationManager

Checks if the authentication has any of the specified authorities.

package org.springframework.security.authorization;

class AuthorityAuthorizationManager implements AuthorizationManager<Object> {
    AuthorityAuthorizationManager();

    void setAuthority(String authority);
    void setAuthorities(String... authorities);
    void setAuthorities(Collection<String> authorities);

    @Nullable AuthorizationDecision check(
        Supplier<Authentication> authentication,
        Object object);
}

Key Methods:

void setAuthority(String authority)
  • Sets a single required authority.
void setAuthorities(String... authorities)
  • Sets multiple required authorities (user needs any one of them).
void setAuthorities(Collection<String> authorities)
  • Sets a collection of required authorities.

Behavior:

  • Grants access if authentication has any of the specified authorities.
  • Denies if authentication is null or has none of the specified authorities.

Example:

AuthorityAuthorizationManager manager = new AuthorityAuthorizationManager();
manager.setAuthorities("ROLE_ADMIN", "ROLE_STAFF");

Authentication adminAuth = new UsernamePasswordAuthenticationToken(
    "admin",
    "password",
    AuthorityUtils.createAuthorityList("ROLE_ADMIN", "ROLE_USER")
);

AuthorizationDecision decision = manager.check(() -> adminAuth, null);
// decision.isGranted() == true (has ROLE_ADMIN)

Authentication userAuth = new UsernamePasswordAuthenticationToken(
    "user",
    "password",
    AuthorityUtils.createAuthorityList("ROLE_USER")
);

AuthorizationDecision denied = manager.check(() -> userAuth, null);
// denied.isGranted() == false (no ROLE_ADMIN or ROLE_STAFF)

AuthenticatedAuthorizationManager

Checks if the authentication is authenticated (not anonymous).

package org.springframework.security.authorization;

class AuthenticatedAuthorizationManager implements AuthorizationManager<Object> {
    AuthenticatedAuthorizationManager();

    @Nullable AuthorizationDecision check(
        Supplier<Authentication> authentication,
        Object object);
}

Behavior:

  • Grants access if authentication is not null and isAuthenticated() returns true.
  • Denies access for anonymous or unauthenticated users.

Example:

AuthenticatedAuthorizationManager manager = new AuthenticatedAuthorizationManager();

// Authenticated user
Authentication auth = new UsernamePasswordAuthenticationToken(
    "user",
    "password",
    AuthorityUtils.createAuthorityList("ROLE_USER")
);
auth.setAuthenticated(true);

AuthorizationDecision decision = manager.check(() -> auth, null);
// decision.isGranted() == true

// Anonymous user
Authentication anonymous = new AnonymousAuthenticationToken(
    "key",
    "anonymous",
    AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS")
);

AuthorizationDecision denied = manager.check(() -> anonymous, null);
// denied.isGranted() == false (anonymous is not considered authenticated)

AllAuthoritiesAuthorizationManager

Checks if the authentication has all of the specified authorities.

package org.springframework.security.authorization;

class AllAuthoritiesAuthorizationManager implements AuthorizationManager<Object> {
    AllAuthoritiesAuthorizationManager();

    void setAuthority(String authority);
    void setAuthorities(String... authorities);
    void setAuthorities(Collection<String> authorities);

    @Nullable AuthorizationDecision check(
        Supplier<Authentication> authentication,
        Object object);
}

Key Methods:

Same as AuthorityAuthorizationManager but with different behavior.

Behavior:

  • Grants access only if authentication has all of the specified authorities.
  • Denies if any authority is missing.

Example:

AllAuthoritiesAuthorizationManager manager = new AllAuthoritiesAuthorizationManager();
manager.setAuthorities("ROLE_ADMIN", "ROLE_FINANCE");

// User with both authorities
Authentication fullAuth = new UsernamePasswordAuthenticationToken(
    "admin",
    "password",
    AuthorityUtils.createAuthorityList("ROLE_ADMIN", "ROLE_FINANCE", "ROLE_USER")
);

AuthorizationDecision granted = manager.check(() -> fullAuth, null);
// granted.isGranted() == true (has both ROLE_ADMIN and ROLE_FINANCE)

// User with only one authority
Authentication partialAuth = new UsernamePasswordAuthenticationToken(
    "user",
    "password",
    AuthorityUtils.createAuthorityList("ROLE_ADMIN")
);

AuthorizationDecision denied = manager.check(() -> partialAuth, null);
// denied.isGranted() == false (missing ROLE_FINANCE)

AllRequiredFactorsAuthorizationManager

Checks if the authentication has all required authentication factors.

package org.springframework.security.authorization;

class AllRequiredFactorsAuthorizationManager implements AuthorizationManager<Object> {
    AllRequiredFactorsAuthorizationManager();

    void setFactor(String factor);
    void setFactors(String... factors);
    void setFactors(Collection<String> factors);

    @Nullable AuthorizationDecision check(
        Supplier<Authentication> authentication,
        Object object);
}

Key Methods:

void setFactor(String factor)
  • Sets a single required factor.
void setFactors(String... factors)
  • Sets multiple required factors (all must be present).
void setFactors(Collection<String> factors)
  • Sets a collection of required factors.

Behavior:

  • Checks for FactorGrantedAuthority instances in the authentication.
  • Grants access only if authentication has authorities for all specified factors.
  • Factors are matched by authority string (e.g., "FACTOR_PASSWORD", "FACTOR_OTP").

Example:

import org.springframework.security.core.authority.FactorGrantedAuthority;

AllRequiredFactorsAuthorizationManager manager = new AllRequiredFactorsAuthorizationManager();
manager.setFactors("PASSWORD", "OTP");

// User with both factors
Collection<GrantedAuthority> factors = Arrays.asList(
    FactorGrantedAuthority.fromFactor("PASSWORD"),
    FactorGrantedAuthority.fromFactor("OTP"),
    new SimpleGrantedAuthority("ROLE_USER")
);

Authentication mfaAuth = new UsernamePasswordAuthenticationToken(
    "user",
    "password",
    factors
);

AuthorizationDecision granted = manager.check(() -> mfaAuth, null);
// granted.isGranted() == true (has both PASSWORD and OTP factors)

// User with only one factor
Collection<GrantedAuthority> singleFactor = Arrays.asList(
    FactorGrantedAuthority.fromFactor("PASSWORD"),
    new SimpleGrantedAuthority("ROLE_USER")
);

Authentication partialMfa = new UsernamePasswordAuthenticationToken(
    "user",
    "password",
    singleFactor
);

AuthorizationDecision denied = manager.check(() -> partialMfa, null);
// denied.isGranted() == false (missing OTP factor)

RequiredFactor

Represents a required authentication factor for authorization.

package org.springframework.security.authorization;

class RequiredFactor {
    RequiredFactor(String factor);

    String getFactor();
    boolean equals(Object obj);
    int hashCode();
    String toString();
}

Constructor:

RequiredFactor(String factor)

Key Methods:

String getFactor()
  • Returns the factor name.

Example:

RequiredFactor passwordFactor = new RequiredFactor("PASSWORD");
RequiredFactor otpFactor = new RequiredFactor("OTP");

// Use with AllRequiredFactorsAuthorizationManager
AllRequiredFactorsAuthorizationManager manager = new AllRequiredFactorsAuthorizationManager();
manager.setFactors(
    passwordFactor.getFactor(),
    otpFactor.getFactor()
);

Combining Authorization Managers

AuthorizationManagers

Utility class providing static methods for combining multiple authorization managers.

package org.springframework.security.authorization;

class AuthorizationManagers {
    static <T> AuthorizationManager<T> anyOf(
        AuthorizationManager<T>... managers);
    static <T> AuthorizationManager<T> allOf(
        AuthorizationManager<T>... managers);
    static <T> AuthorizationManager<T> anyOf(
        List<AuthorizationManager<T>> managers);
    static <T> AuthorizationManager<T> allOf(
        List<AuthorizationManager<T>> managers);
}

Static Methods:

static <T> AuthorizationManager<T> anyOf(
    AuthorizationManager<T>... managers)
  • Creates a manager that grants if any of the provided managers grant.
  • Short-circuits: returns granted as soon as one manager grants.
static <T> AuthorizationManager<T> allOf(
    AuthorizationManager<T>... managers)
  • Creates a manager that grants only if all of the provided managers grant.
  • Short-circuits: returns denied as soon as one manager denies.

Example:

// anyOf: User needs ROLE_ADMIN OR ROLE_STAFF
AuthorityAuthorizationManager adminManager = new AuthorityAuthorizationManager();
adminManager.setAuthority("ROLE_ADMIN");

AuthorityAuthorizationManager staffManager = new AuthorityAuthorizationManager();
staffManager.setAuthority("ROLE_STAFF");

AuthorizationManager<Object> anyManager = AuthorizationManagers.anyOf(
    adminManager,
    staffManager
);

// User with ROLE_ADMIN
Authentication adminAuth = new UsernamePasswordAuthenticationToken(
    "admin",
    "password",
    AuthorityUtils.createAuthorityList("ROLE_ADMIN")
);

AuthorizationDecision decision = anyManager.check(() -> adminAuth, null);
// decision.isGranted() == true

// User with ROLE_STAFF
Authentication staffAuth = new UsernamePasswordAuthenticationToken(
    "staff",
    "password",
    AuthorityUtils.createAuthorityList("ROLE_STAFF")
);

AuthorizationDecision decision2 = anyManager.check(() -> staffAuth, null);
// decision2.isGranted() == true

// User with neither
Authentication userAuth = new UsernamePasswordAuthenticationToken(
    "user",
    "password",
    AuthorityUtils.createAuthorityList("ROLE_USER")
);

AuthorizationDecision denied = anyManager.check(() -> userAuth, null);
// denied.isGranted() == false

allOf Example:

// allOf: User must be authenticated AND have ROLE_ADMIN
AuthenticatedAuthorizationManager authenticatedManager =
    new AuthenticatedAuthorizationManager();

AuthorityAuthorizationManager adminManager = new AuthorityAuthorizationManager();
adminManager.setAuthority("ROLE_ADMIN");

AuthorizationManager<Object> combinedManager = AuthorizationManagers.allOf(
    authenticatedManager,
    adminManager
);

// Authenticated admin user
Authentication adminAuth = new UsernamePasswordAuthenticationToken(
    "admin",
    "password",
    AuthorityUtils.createAuthorityList("ROLE_ADMIN")
);
adminAuth.setAuthenticated(true);

AuthorizationDecision granted = combinedManager.check(() -> adminAuth, null);
// granted.isGranted() == true (authenticated AND has ROLE_ADMIN)

// Unauthenticated user
Authentication unauthenticated = new UsernamePasswordAuthenticationToken(
    "user",
    "password",
    AuthorityUtils.createAuthorityList("ROLE_ADMIN")
);
unauthenticated.setAuthenticated(false);

AuthorizationDecision denied = combinedManager.check(() -> unauthenticated, null);
// denied.isGranted() == false (not authenticated)

Complex Combination:

// Complex: (ROLE_ADMIN OR ROLE_STAFF) AND authenticated
AuthorityAuthorizationManager adminOrStaff = AuthorizationManagers.anyOf(
    new AuthorityAuthorizationManager() {{ setAuthority("ROLE_ADMIN"); }},
    new AuthorityAuthorizationManager() {{ setAuthority("ROLE_STAFF"); }}
);

AuthorizationManager<Object> finalManager = AuthorizationManagers.allOf(
    new AuthenticatedAuthorizationManager(),
    adminOrStaff
);

Observation Support

ObservationAuthorizationManager

Wraps an AuthorizationManager with Micrometer observation support for metrics and tracing.

package org.springframework.security.authorization;

class ObservationAuthorizationManager<T> implements AuthorizationManager<T> {
    ObservationAuthorizationManager(
        AuthorizationManager<T> delegate,
        ObservationRegistry observationRegistry);

    @Nullable AuthorizationDecision check(
        Supplier<Authentication> authentication,
        T object);
}

Constructor:

ObservationAuthorizationManager(
    AuthorizationManager<T> delegate,
    ObservationRegistry observationRegistry)
  • Wraps the delegate manager with observation support.

Behavior:

  • Delegates to the wrapped manager.
  • Records observation events for authorization checks.
  • Does not change authorization behavior.

Example:

import io.micrometer.observation.ObservationRegistry;

AuthorityAuthorizationManager delegate = new AuthorityAuthorizationManager();
delegate.setAuthority("ROLE_ADMIN");

ObservationRegistry registry = ObservationRegistry.create();

AuthorizationManager<Object> observedManager =
    new ObservationAuthorizationManager<>(delegate, registry);

// Use as normal - observations are recorded automatically
Authentication auth = ...;
AuthorizationDecision decision = observedManager.check(() -> auth, null);

Reactive Authorization Managers

ReactiveAuthorizationManagers

Utility class for combining reactive authorization managers.

package org.springframework.security.authorization;

class ReactiveAuthorizationManagers {
    static <T> ReactiveAuthorizationManager<T> anyOf(
        ReactiveAuthorizationManager<T>... managers);
    static <T> ReactiveAuthorizationManager<T> allOf(
        ReactiveAuthorizationManager<T>... managers);
}

Example:

ReactiveAuthorizationManager<RequestAuthorizationContext> adminManager = ...;
ReactiveAuthorizationManager<RequestAuthorizationContext> staffManager = ...;

ReactiveAuthorizationManager<RequestAuthorizationContext> anyManager =
    ReactiveAuthorizationManagers.anyOf(adminManager, staffManager);

Mono<Authentication> auth = ...;
Mono<AuthorizationDecision> decision = anyManager.check(auth, context);

Complete Configuration Example

@Configuration
public class AuthorizationConfiguration {

    @Bean
    public AuthorizationManager<RequestAuthorizationContext> adminOnly() {
        AuthorityAuthorizationManager manager = new AuthorityAuthorizationManager();
        manager.setAuthority("ROLE_ADMIN");
        return manager;
    }

    @Bean
    public AuthorizationManager<RequestAuthorizationContext> authenticatedAdmin() {
        AuthenticatedAuthorizationManager authenticated = new AuthenticatedAuthorizationManager();
        AuthorityAuthorizationManager admin = new AuthorityAuthorizationManager();
        admin.setAuthority("ROLE_ADMIN");

        return AuthorizationManagers.allOf(authenticated, admin);
    }

    @Bean
    public AuthorizationManager<RequestAuthorizationContext> multiFactorAccess() {
        AllRequiredFactorsAuthorizationManager manager =
            new AllRequiredFactorsAuthorizationManager();
        manager.setFactors("PASSWORD", "OTP");
        return manager;
    }

    @Bean
    public AuthorizationManager<RequestAuthorizationContext> adminOrStaff() {
        AuthorityAuthorizationManager admin = new AuthorityAuthorizationManager();
        admin.setAuthority("ROLE_ADMIN");

        AuthorityAuthorizationManager staff = new AuthorityAuthorizationManager();
        staff.setAuthority("ROLE_STAFF");

        return AuthorizationManagers.anyOf(admin, staff);
    }

    @Bean
    public AuthorizationManager<RequestAuthorizationContext> observedManager(
            ObservationRegistry registry) {
        AuthorityAuthorizationManager delegate = new AuthorityAuthorizationManager();
        delegate.setAuthority("ROLE_ADMIN");

        return new ObservationAuthorizationManager<>(delegate, registry);
    }
}

Package

  • org.springframework.security.authorization