SEC-1096: Revert SEC-1016: Modify ordering in GlobalMethodSecurityBeanDefinitionParser #1347

Closed
spring-issuemaster opened this Issue Feb 3, 2009 · 2 comments

1 participant

@spring-issuemaster

Ruud Senden (Migrated from SEC-1096) said:

The original issue requested to make pointcuts take precedence over annotations, which has now been implemented. Actually I do not like this change, and the reason behind it.

The way I see it, you can use pointcuts to specify default security restrictions (as a simple example; disallow all access to classes with the @Service annotation), and override these global restrictions using class- or method-specific annotations.

I think the reason for the original request was to be able to override hard-coded security restrictions using configuration changes, for example at deployment time. IMO, if one requires this functionality, one shouldn’t have used hard-coded annotations in the first place. This is also a security and maintenance risk; the programmer thinks he has implemented security restrictions correctly, but later on somebody modifies these restrictions from the outside.

Maybe it should be configurable which mechanism takes precendence, but I think the fail-safe default should be that annotations take precedence over pointcuts.

@spring-issuemaster

Luke Taylor said:

I think you're probably right. I've reverted the change, so annotations take precedence.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 M2 milestone Feb 5, 2016
@spring-issuemaster

This issue supersedes #1269

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment