Spring Security
  1. Spring Security
  2. SEC-1450

Pointcuts are incorrectly evaluated in case of generic methods

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.0.5, 3.0.2
    • Fix Version/s: 3.0.3, 3.1.0.M1
    • Component/s: Core
    • Labels:
      None
    • Environment:
      Java 6

      Description

      Pointcut definitions are incorrectly evaluated if generic methods are used.
      For example consider the following types:

      interface IActionHandler<T extends AbstractAction> {
      int foo(T action);
      }

      class ConcreteActionHandler implements IActionHandler<ConcreteAction> {
      public int foo(ConcreteAction action)

      {...}

      }

      The following pointcut definition used in "protect-pointcut" configuration will not match the ConcreteActionHandler#foo(...) call:
      execution(* IActionHandler.foo(..))

      The reason is the inappropriate resolving of "most specific method" in AbstractFallbackMethodDefinitionSource. The "most specific method" is resolved by the org.springframework.util.ClassUtils#getMostSpecificMethod(...) call, which does not resolve the Java 5 bridge methods! Bridge methods should not be considered at all when ConfigAttributeDefinition-s are figured out. The org.springframework.aop.support.AopUtils#getMostSpecificMethod(...) should be used instead of ClassUtils as it resolves bridge methods correctly.

      The AopUtils should be used instead of ClassUtils in the following places:
      Version 2.0.5 of SpringSecurity: org.springframework.security.intercept.method.AbstractFallbackMethodDefinitionSource line 116
      Version 3.0.2 of SpringSecurity: org.springframework.security.access.method.AbstractFallbackMethodSecurityMetadataSource line 32

      I have tested the version 2.0.5 - it works, when AopUtils is used instead of ClassUtils.
      I have not tested the version 3.0.2 - the mentioned fix is just an assumption.

        Activity

        Hide
        Luke Taylor added a comment -

        I've made the suggested change in master and 3.0.x branches and added an additional test for this scenario.

        Show
        Luke Taylor added a comment - I've made the suggested change in master and 3.0.x branches and added an additional test for this scenario.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Gabriel Forro
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: