SEC-1204: MethodSecurityInterceptor doesn't secure implemented interfaces #1449

Closed
spring-issuemaster opened this Issue Jul 21, 2009 · 3 comments

1 participant

@spring-issuemaster

Dan Diephouse (Migrated from SEC-1204) said:

For two examples out there in the community:

http://www.mulesource.org/jira/browse/MULE-4208
http://forum.springsource.org/showthread.php?t=74497

This is a regression from Acegi.

@spring-issuemaster

Luke Taylor said:

Have you tried it with class-proxying disabled? It should work with either the interface or the class name.

For example, with the following configuration




securityInterceptor




target





org.springframework.security.ITargetObject.makeLower=ROLE_A
org.springframework.security.TargetObject.makeUpper
=ROLE_A
org.springframework.security.ITargetObject.computeHashCode*=ROLE_B


Then calling both the makeLower and makeUpper methods on the "target" object (with no security context) results in an AuthenticationException, indicating that the interceptor is applied.

@spring-issuemaster

Luke Taylor said:

Any further input? If not I will close the issue.

@spring-issuemaster

Luke Taylor said:

No feedback in over a month, so closing the issue. The general statement that interface proxying isn't supported by MethodSecurityInterceptor is clearly inaccurate since we have tests in place which do just this. If more specific issues can be isolated then please raise them individually.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 RC1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment