Support for @PreAuthorize (or something similar) on routes

[peholmst]

Describe your motivation

For method security, Spring Security is recommending the @PreAuthorize annotation. This allows you to use SpEL to specify the authorization criteria. They also recommend checking for authorities, and then granting these authorities to roles. This is different from the current Vaadin Flow approach, where you check for roles directly.

Checking for authorities, or using Attribute-based access control is more flexible than checking for roles alone, and I think it is getting more common (although I have no numbers to back that up). It also prevents Role Explosion from happening.

Describe the solution you'd like

I want to be able to use @PreAuthorize (instead of @RolesAllowed) on routes.

Describe alternatives you've considered

Implementing a custom AccessAnnotationChecker that does this. However, this is such a common requirement that I think it should be supported out of the box.

Additional context

Adding @PreAuthorize to a route may cause Spring to turn it into a proxy, which would be bad. Routes would have to be handled differently. In the worst case, we may have to use our own annotation for this.