-
Notifications
You must be signed in to change notification settings - Fork 5.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PreAuthorizeExpressionAttributeRegistry#resolveAttribute can't find annotation on class when method is declared on superclass #13783
Comments
Well, I was wondering if there are any updates on this? /**
* @see org.springframework.security.authorization.method.PostAuthorizeExpressionAttributeRegistry#findPostAuthorizeAnnotation
*/
private PostAuthorize findPostAuthorizeAnnotation(Method method) {
PostAuthorize postAuthorize = AuthorizationAnnotationUtils.findUniqueAnnotation(method, PostAuthorize.class);
// org.springframework.security.authorization.method.PostAuthorizeExpressionAttributeRegistry#resolveAttribute
// Use `targetClass`(from calling method argument) instead of `method.getDeclaringClass()`.
return (postAuthorize != null) ? postAuthorize
: AuthorizationAnnotationUtils.findUniqueAnnotation(targetClass, PostAuthorize.class);
} |
For backward compatibility, this commit changes the annotation traversal logic to match what is found in PrePostAnnotationSecurityMetadataSource. This reverts gh-13783 which is a feature that unfortunately regressess pre-existing behavior like that found in gh-15352. As such, that functionality has been removed. Issue gh-15352
@jzheaux As you said in #15014 comment. In general, annotations declared lower in the hierarchy do not affect methods higher in the hierarchy. So now whether Spring Security still needs to support this scene? |
@jzheaux @kse-music I noticed the discussions regarding this feature, but I am a bit confused about whether the discussion is about deciding to remove this feature? Personally, I hope to keep this feature as I really need it. From my perspective, it is logical for a security annotation on a subclass to also affect to its superclass. If the decision is to remove it, could you make this behavior configurable? There is a lot of nested code involved here, and most of it is |
Describe the bug
Using @PreAuthorize annotation on Class is not found when method is declared on superclass.
To Reproduce
Create a class and define methods like:
Create a controller:
The text was updated successfully, but these errors were encountered: