-
Notifications
You must be signed in to change notification settings - Fork 38.6k
Description
See sample code in branch (feature/secured-interface-bug) to reproduce issue:
https://github.com/caspianb/SpringBootTest/tree/feature/secured-interface-bug
I reproduced this issue in Spring Boot 2.1.0, 2.1.4, and 2.1.8.
Spring Controllers seem to be getting confused when implementing an interface and adding @Secured
to an @Override
method:
@RestController
public class UserController implements BaseController {
@Override
@RequestMapping(method = RequestMethod.GET)
public ResponseEntity<String> getData() {
return ResponseEntity.ok("You have access! <a href=\"/api\">Protected Access?</a> | <a href=\"/logout\">Logout</a>");
}
@Override
@Secured("ROLE_ADMIN")
@RequestMapping(path = "api", method = RequestMethod.GET)
public ResponseEntity<String> getProtectedData() {
return ResponseEntity.ok("You have protected access! <a href=\"/logout\">Logout</a>");
}
}
The above example will always throw a 404 on either endpoint. Simply removing either the @Secured
annotation or the implements BaseController
will eliminate the 404.
The same occurs if I define the mappings on the interface itself. Ideally, I would like to define the mappings on the interface and then explicitly mark @Secured
on implementing classes, but it seems odd that simply implementing an interface in conjunction with @Secured
breaks the entire controller.
Note that trying to utilize either @RolesAllowed
or@PreAuthorize
has the same outcome as @Secured
as described above.