The SecuredAuthorizationManager can now find @secured annotations on …

…subclasses when a method in the superclass is called. closes the issue spring-projects#15002
abimael-turing · May 6, 2024 · 01718bd · 01718bd
1 parent ce995a0
commit 01718bd
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 6 deletions.
diff --git a/...n/java/org/springframework/security/authorization/method/SecuredAuthorizationManager.java b/...n/java/org/springframework/security/authorization/method/SecuredAuthorizationManager.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -61,14 +61,13 @@ private static final class SecuredAuthorizationManagerRegistry extends AbstractA
 		@Override
 		AuthorizationManager<MethodInvocation> resolveManager(Method method, Class<?> targetClass) {
 			Method specificMethod = AopUtils.getMostSpecificMethod(method, targetClass);
-			Secured secured = findSecuredAnnotation(specificMethod);
+			Secured secured = findSecuredAnnotation(specificMethod, targetClass);
 			return (secured != null) ? AuthorityAuthorizationManager.hasAnyAuthority(secured.value()) : NULL_MANAGER;
 		}
 
-		private Secured findSecuredAnnotation(Method method) {
+		private Secured findSecuredAnnotation(Method method, Class<?> targetClass) {
 			Secured secured = AuthorizationAnnotationUtils.findUniqueAnnotation(method, Secured.class);
-			return (secured != null) ? secured
-					: AuthorizationAnnotationUtils.findUniqueAnnotation(method.getDeclaringClass(), Secured.class);
+			return (secured != null) ? secured : AuthorizationAnnotationUtils.findUniqueAnnotation((targetClass != null) ? targetClass : method.getDeclaringClass(), Secured.class);
 		}
 
 	}

diff --git a/...a/org/springframework/security/authorization/method/SecuredAuthorizationManagerTests.java b/...a/org/springframework/security/authorization/method/SecuredAuthorizationManagerTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -141,6 +141,14 @@ public void checkTargetClassAwareWhenInterfaceLevelAnnotationsThenApplies() thro
 		assertThat(decision.isGranted()).isTrue();
 	}
 
+	@Test
+	public void checkSecuredAnnotationOnSubclassWhenMethodInSuperclassWasCalledThenApplies() throws Exception {
+		MockMethodInvocation methodInvocation = new MockMethodInvocation(new Service(), Service.class, "doSmth");
+		SecuredAuthorizationManager manager = new SecuredAuthorizationManager();
+		AuthorizationDecision decision = manager.check(TestAuthentication::authenticatedUser, methodInvocation);
+		assertThat(decision).isNotNull();
+	}
+
 	public static class TestClass implements InterfaceAnnotationsOne, InterfaceAnnotationsTwo {
 
 		public void doSomething() {
@@ -235,4 +243,13 @@ public void inheritedAnnotations() {
 
 	}
 
+	public abstract class AbstractService {
+		public void doSmth() {}
+	}
+
+	@Secured("SECURE")
+	public class Service extends AbstractService {
+
+	}
+
 }