AuthorizeReturnObject should target the authorized object within MVC return values #16059
Description
Placing @AuthorizeReturnObject on a method that returns ResponseEntity is limiting since the user doesn't have access to ResponseEntity to add the appropriate Security annotations.
#14717 will add support for applying Security configuration to third-party components. As part of that, Security should consider providing a mixin for Spring Web container objects like ResponseEntity and ModelAndView.