From 01718bdefa8792957204bcc1c809f3f153db3b2a Mon Sep 17 00:00:00 2001 From: Abimael Sergio Date: Mon, 6 May 2024 15:08:28 -0300 Subject: [PATCH] The SecuredAuthorizationManager can now find @Secured annotations on subclasses when a method in the superclass is called. closes the issue #15002 --- .../method/SecuredAuthorizationManager.java | 9 ++++----- .../SecuredAuthorizationManagerTests.java | 19 ++++++++++++++++++- 2 files changed, 22 insertions(+), 6 deletions(-) diff --git a/core/src/main/java/org/springframework/security/authorization/method/SecuredAuthorizationManager.java b/core/src/main/java/org/springframework/security/authorization/method/SecuredAuthorizationManager.java index 73ad02ce38b..081b686911d 100644 --- a/core/src/main/java/org/springframework/security/authorization/method/SecuredAuthorizationManager.java +++ b/core/src/main/java/org/springframework/security/authorization/method/SecuredAuthorizationManager.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -61,14 +61,13 @@ private static final class SecuredAuthorizationManagerRegistry extends AbstractA @Override AuthorizationManager resolveManager(Method method, Class targetClass) { Method specificMethod = AopUtils.getMostSpecificMethod(method, targetClass); - Secured secured = findSecuredAnnotation(specificMethod); + Secured secured = findSecuredAnnotation(specificMethod, targetClass); return (secured != null) ? AuthorityAuthorizationManager.hasAnyAuthority(secured.value()) : NULL_MANAGER; } - private Secured findSecuredAnnotation(Method method) { + private Secured findSecuredAnnotation(Method method, Class targetClass) { Secured secured = AuthorizationAnnotationUtils.findUniqueAnnotation(method, Secured.class); - return (secured != null) ? secured - : AuthorizationAnnotationUtils.findUniqueAnnotation(method.getDeclaringClass(), Secured.class); + return (secured != null) ? secured : AuthorizationAnnotationUtils.findUniqueAnnotation((targetClass != null) ? targetClass : method.getDeclaringClass(), Secured.class); } } diff --git a/core/src/test/java/org/springframework/security/authorization/method/SecuredAuthorizationManagerTests.java b/core/src/test/java/org/springframework/security/authorization/method/SecuredAuthorizationManagerTests.java index f4049be87fe..f932e12a458 100644 --- a/core/src/test/java/org/springframework/security/authorization/method/SecuredAuthorizationManagerTests.java +++ b/core/src/test/java/org/springframework/security/authorization/method/SecuredAuthorizationManagerTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -141,6 +141,14 @@ public void checkTargetClassAwareWhenInterfaceLevelAnnotationsThenApplies() thro assertThat(decision.isGranted()).isTrue(); } + @Test + public void checkSecuredAnnotationOnSubclassWhenMethodInSuperclassWasCalledThenApplies() throws Exception { + MockMethodInvocation methodInvocation = new MockMethodInvocation(new Service(), Service.class, "doSmth"); + SecuredAuthorizationManager manager = new SecuredAuthorizationManager(); + AuthorizationDecision decision = manager.check(TestAuthentication::authenticatedUser, methodInvocation); + assertThat(decision).isNotNull(); + } + public static class TestClass implements InterfaceAnnotationsOne, InterfaceAnnotationsTwo { public void doSomething() { @@ -235,4 +243,13 @@ public void inheritedAnnotations() { } + public abstract class AbstractService { + public void doSmth() {} + } + + @Secured("SECURE") + public class Service extends AbstractService { + + } + }