SEC-906: SecuredMethodDefinitionSource always requires AspectJ to be on the classpath #1159
Labels
status: declined
A suggestion or change that we don't feel we should currently apply
type: enhancement
A general enhancement
type: jira
An issue that was migrated from JIRA
Milestone
Comments
|
Luke Taylor said: This dependency has been in there since Acegi’s AspectJSecurityInterceptor was written so this isn’t anything new and so a decision can be postponed till 2.1. Any changes to check with classloaders etc will just make the code harder to follow and the aspectj runtime jar is only about 100k in size in any case. |
|
Luke Taylor said: I don’t think this justifies making changes to core code to locate classes reflectively etc. It just makes for a maintenance headache and aspectj is likely to feature even more strongly in future releases. |
|
Dan Diephouse said: This dependency wasn’t in Acegi 1.0.6. We performed a straightforward upgrade of our app and this is the first time we had to add the dependency. |
spring-projects-issues
added
Closed
type: enhancement
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When setting up a SecuredMethodDefinitionSource based on AOP Alliance Java will throw a "java.lang.NoClassDefFoundError: org/aspectj/lang/Signature ". The reason is that SecuredMethodDefinitionSource extends AbstractFallbackMethodDefinitionSource which has compile time references to AOP alliance and aspectJ classes. Thus it currently is not possible to use @Secured without having AspectJ on the classpath.
AbstractFallbackMethodDefinitionSource as well as AbstractMethodDefinitionSource should delegate AspectJ related checkings to subclasses that are only loaded if it is dynamically determined whether AspectJ is on the classpath or not.
Right now I helped myself by patching the class and simply commenting out all JoinPoint and Signature class references.
The text was updated successfully, but these errors were encountered: