Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

5.8.12: @Secured annotation on subclasses is not read by SecuredAuthorizationManager when method in superclass was called #15002

Open
artem103 opened this issue May 2, 2024 · 5 comments
Open

5.8.12: @Secured annotation on subclasses is not read by SecuredAuthorizationManager when method in superclass was called #15002

artem103 opened this issue May 2, 2024 · 5 comments
Assignees
@jzheaux
Labels
in: core An issue in spring-security-core type: bug A general bug

Comments

@artem103
Copy link

artem103 commented May 2, 2024
edited
Loading

If I have 2 classes,

public abstract class AbstractService {
    public void doSmth() {...}
}

@Secured("SECURE")
@Service
public class Service extends AbstractService {
...
}

and when I call service.doSmth(), security is not applied, because method org.springframework.security.authorization.method.SecuredAuthorizationManager.SecuredAuthorizationManagerRegistry#findSecuredAnnotation will try to get annotation of AbstractService, not of Service.

See the 6 version of this method https://github.com/spring-projects/spring-security/blob/main/core/src/main/java/org/springframework/security/authorization/method/SecuredAuthorizationManager.java
This bug was fixed there.
@artem103 artem103 added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels May 2, 2024
@abimael-turing
Copy link

@artem103, I'm interested in addressing this issue. Could you assign it to me, please?

@artem103
Copy link
Author

artem103 commented May 3, 2024
edited
Loading

@abimael-turing seems I can not assign it, probably I have no priveleges to do that

@abimael-turing
Copy link

@artem103 No problem, I've already started working on it and I'll submit a pull request ASAP.

abimael-turing pushed a commit to abimael-turing/spring-security that referenced this issue May 6, 2024
@abimaelrsergio
The SecuredAuthorizationManager can now find @secured annotations on …
01718bd 
…subclasses when a method in the superclass is called.

closes the issue spring-projects#15002
@abimael-turing abimael-turing mentioned this issue May 6, 2024
Closed
abimael-turing pushed a commit to abimael-turing/spring-security that referenced this issue May 6, 2024
@abimaelrsergio
The SecuredAuthorizationManager can now find @secured annotations on …
76a3b15 
…subclasses when a method in the superclass is called.

Format the code and closes the issue spring-projects#15002
@abimael-turing
Copy link

@artem103 and @spring-projects-issues, I completed the pull request, but the build is failing on GitHub due to deprecated Gradle features, which are incompatible with Gradle 8.0.

image

@jzheaux jzheaux self-assigned this May 21, 2024
@jzheaux jzheaux added in: core An issue in spring-security-core and removed status: waiting-for-triage An issue we've not yet triaged labels May 21, 2024
jzheaux pushed a commit to abimael-turing/spring-security that referenced this issue May 21, 2024
@abimaelrsergio @jzheaux
SecuredAuthorizationManager Finds @secured on Subclasses
9c94bcc 
Closes spring-projectsgh-15002
@jzheaux
Copy link
Contributor

jzheaux commented Sep 4, 2024

Thanks again for filing this, @artem103. Based on this comment I'm going to close this ticket. If there is anything that I've missed, please comment in #13783 where the original feature was requested.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: core An issue in spring-security-core type: bug A general bug
Projects
Spring Security Team
Status: No status
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jzheaux @abimael-turing @artem103