SEC-1450: Pointcuts are incorrectly evaluated in case of generic methods #1690

Closed
spring-issuemaster opened this Issue Mar 24, 2010 · 1 comment

1 participant

@spring-issuemaster

Gabriel Forro (Migrated from SEC-1450) said:

Pointcut definitions are incorrectly evaluated if generic methods are used.
For example consider the following types:

interface IActionHandler {
int foo(T action);
}

class ConcreteActionHandler implements IActionHandler {
public int foo(ConcreteAction action) {...}
}

The following pointcut definition used in "protect-pointcut" configuration will not match the ConcreteActionHandler#foo(...) call:
execution(* IActionHandler.foo(..))

The reason is the inappropriate resolving of "most specific method" in AbstractFallbackMethodDefinitionSource. The "most specific method" is resolved by the org.springframework.util.ClassUtils#getMostSpecificMethod(...) call, which does not resolve the Java 5 bridge methods! Bridge methods should not be considered at all when ConfigAttributeDefinition-s are figured out. The org.springframework.aop.support.AopUtils#getMostSpecificMethod(...) should be used instead of ClassUtils as it resolves bridge methods correctly.

The AopUtils should be used instead of ClassUtils in the following places:
Version 2.0.5 of SpringSecurity: org.springframework.security.intercept.method.AbstractFallbackMethodDefinitionSource line 116
Version 3.0.2 of SpringSecurity: org.springframework.security.access.method.AbstractFallbackMethodSecurityMetadataSource line 32

I have tested the version 2.0.5 - it works, when AopUtils is used instead of ClassUtils.
I have not tested the version 3.0.2 - the mentioned fix is just an assumption.

@spring-issuemaster

Luke Taylor said:

I've made the suggested change in master and 3.0.x branches and added an additional test for this scenario.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.M1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment