Ruud Senden (Migrated from SEC-1096) said:
The original issue requested to make pointcuts take precedence over annotations, which has now been implemented. Actually I do not like this change, and the reason behind it.
The way I see it, you can use pointcuts to specify default security restrictions (as a simple example; disallow all access to classes with the @Service annotation), and override these global restrictions using class- or method-specific annotations.
I think the reason for the original request was to be able to override hard-coded security restrictions using configuration changes, for example at deployment time. IMO, if one requires this functionality, one shouldn’t have used hard-coded annotations in the first place. This is also a security and maintenance risk; the programmer thinks he has implemented security restrictions correctly, but later on somebody modifies these restrictions from the outside.
Maybe it should be configurable which mechanism takes precendence, but I think the fail-safe default should be that annotations take precedence over pointcuts.
Luke Taylor said:
I think you're probably right. I've reverted the change, so annotations take precedence.
This issue supersedes #1269