SEC-1204: MethodSecurityInterceptor doesn't secure implemented interfaces #1449

Closed
spring-issuemaster opened this Issue Jul 21, 2009 · 3 comments

Comments

Projects
None yet
1 participant

Dan Diephouse (Migrated from SEC-1204) said:

For two examples out there in the community:

http://www.mulesource.org/jira/browse/MULE-4208
http://forum.springsource.org/showthread.php?t=74497

This is a regression from Acegi.

Luke Taylor said:

Have you tried it with class-proxying disabled? It should work with either the interface or the class name.

For example, with the following configuration

securityInterceptor target org.springframework.security.ITargetObject.makeLower_=ROLE_A org.springframework.security.TargetObject.makeUpper_=ROLE_A org.springframework.security.ITargetObject.computeHashCode*=ROLE_B

Then calling both the makeLower and makeUpper methods on the "target" object (with no security context) results in an AuthenticationException, indicating that the interceptor is applied.

Luke Taylor said:

Any further input? If not I will close the issue.

Luke Taylor said:

No feedback in over a month, so closing the issue. The general statement that interface proxying isn't supported by MethodSecurityInterceptor is clearly inaccurate since we have tests in place which do just this. If more specific issues can be isolated then please raise them individually.

spring-issuemaster added this to the 3.0.0 RC1 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment