Spring Security
  1. Spring Security
  2. SEC-1234

RolesAllowed or Secured Annotations on Interface don't apply to child Interfaces

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Cannot Reproduce
    • Affects Version/s: 2.0.4
    • Fix Version/s: 3.0.0 RC1
    • Component/s: Core
    • Labels:
      None

      Description

      I have an interface IGenericDAO, which has save, saveOrUpdate and delete methods, marked with @RolesAllowed("ROLE_ADMIN") [1]
      I then have an interface ICustomerDAO which extends IGenericDAO.

      There is a concrete implementation GenericDAO, which implements save, saveOrUpdate and delete, with no annotations.
      There is a concrete implementation CustomerDAO which extends GenericDAO and adds some extra search helpers.

      CustomerDAO does not override save, saveOrUpdate or delete, nor does ICustomerDAO.

      I then get the following unusual behaviour....

      IGenericDAO dao; // injected by spring (concrete GenericDAO)
      ICustomerDAO csDAO; // injected by spring (concrete CustomerDAO)

      dao.save(new BlahDomainObject("genericblah)); // rejected for ROLE_USER, as expected
      csDAO.save(new BlahDomainObject("csBlah")); // Succeeds!!! for ROLE_USER, definitely not expected!

      This is NOT expected. save() is annotated in the only place it can be, but has no affect when I use the extension interface

      [1] I tried this with @Secured from spring as well, with the same results

        Activity

        Hide
        Luke Taylor added a comment - - edited

        Not ACLs - changed to core.

        Show
        Luke Taylor added a comment - - edited Not ACLs - changed to core.
        Hide
        Luke Taylor added a comment -

        Any further updates here? If not, I'll close as "cannot reproduce" for the time being.

        Show
        Luke Taylor added a comment - Any further updates here? If not, I'll close as "cannot reproduce" for the time being.
        Hide
        Karl Palsson added a comment -

        Much as I'd love to, I'm afraid no, I've not gotten back to this. It's still on our radar internally, so if/when we try this again, we'll update this bug. You can "cannot reproduce" it for now though Thanks

        Show
        Karl Palsson added a comment - Much as I'd love to, I'm afraid no, I've not gotten back to this. It's still on our radar internally, so if/when we try this again, we'll update this bug. You can "cannot reproduce" it for now though Thanks
        Hide
        Luke Taylor added a comment -

        OK, thanks

        Show
        Luke Taylor added a comment - OK, thanks
        Hide
        Karl Palsson added a comment -

        I tried the original code again with spring security 3, and it works now. So while something may have been wrong before, it's not anymore

        Show
        Karl Palsson added a comment - I tried the original code again with spring security 3, and it works now. So while something may have been wrong before, it's not anymore

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Karl Palsson
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: