SEC-1450: Pointcuts are incorrectly evaluated in case of generic methods #1690

spring-issuemaster opened this Issue Mar 24, 2010 · 1 comment


None yet

1 participant


Gabriel Forro (Migrated from SEC-1450) said:

Pointcut definitions are incorrectly evaluated if generic methods are used.
For example consider the following types:

interface IActionHandler {
int foo(T action);

class ConcreteActionHandler implements IActionHandler {
public int foo(ConcreteAction action) {...}

The following pointcut definition used in "protect-pointcut" configuration will not match the ConcreteActionHandler#foo(...) call:

The reason is the inappropriate resolving of "most specific method" in AbstractFallbackMethodDefinitionSource. The "most specific method" is resolved by the org.springframework.util.ClassUtils#getMostSpecificMethod(...) call, which does not resolve the Java 5 bridge methods! Bridge methods should not be considered at all when ConfigAttributeDefinition-s are figured out. The should be used instead of ClassUtils as it resolves bridge methods correctly.

The AopUtils should be used instead of ClassUtils in the following places:
Version 2.0.5 of SpringSecurity: line 116
Version 3.0.2 of SpringSecurity: line 32

I have tested the version 2.0.5 - it works, when AopUtils is used instead of ClassUtils.
I have not tested the version 3.0.2 - the mentioned fix is just an assumption.


Luke Taylor said:

I've made the suggested change in master and 3.0.x branches and added an additional test for this scenario.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.M1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment