Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AbstractAdvisorAutoProxyCreator should consistently detect package-visible methods [SPR-14174] #17890

Closed
spring-issuemaster opened this issue Apr 14, 2016 · 2 comments
Assignees
Milestone

Comments

@spring-issuemaster
Copy link
Collaborator

@spring-issuemaster spring-issuemaster commented Apr 14, 2016

Rob Winch opened SPR-14174 and commented

It would be nice if Spring's AbstractAdvisorAutoProxyCreator would support package scope methods. This has become increasingly important for Boot style applications which often use default methods. For example, the controller below is not secured due to the fact that package scope method is used:

@RestController
public class AdminController {

	@PreAuthorize("hasRole('ADMIN')")
	@RequestMapping("/admin/")
	String index() {
		return "Admin";
	}
}

Right now this appears to be blocked by the fact that AopUtils.canApply only checks public methods since it uses methods = clazz.getMethods()


Referenced from: commits 9991122

@spring-issuemaster
Copy link
Collaborator Author

@spring-issuemaster spring-issuemaster commented Apr 14, 2016

Juergen Hoeller commented

Indeed, there is an inconsistency in the canApply matching for PointcutAdvisors: We need to detect matches with package-visible methods at that level, since package-visible methods are actually being matched later on within an actual proxy. For example, if your controller example above has any public method with the same pointcut, the package-visible method will get intercepted; it will just be ignored if it is the only match for the pointcut on the given class, as far as my tests go. This clearly has to get aligned, and I've just done so through iterating ClassUtils.getAllDeclaredMethods in AopUtils.canApply.

As side fixes, we're also ignoring Pointcut beans for auto-proxying now (like we do for Advice and Advisor beans already), and we're shortcutting canApply checks if we're dealing with MethodMatcher.TRUE (since there is no need to retrieve methods for iteration purposes in that case).

@spring-issuemaster
Copy link
Collaborator Author

@spring-issuemaster spring-issuemaster commented Apr 14, 2016

Rob Winch commented

Thanks for the fast turnaround on this! I can confirm that the changes have resolved the problem I was experiencing. Thanks again!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.