Greg Nieman (Migrated from SEC-1768) said:
Created on behalf of client, with the following use case:
In this case only the methods on the bean, not the interface are secured when the method is "". They feel that in addition to the methods declared on the bean, all implemented interface methods should also be secured when the "" is specified for the method.
Attached is a sample test case illustrating the behavior.
Luke Taylor said:
The problem here is essentially that two types of Spring AOP proxying are being used - the traditional ProxyFactoryBean approach (which intercept-methods uses) and the auto-proxying approach used by tx:annotation-driven. It's generally a good idea to stick to one or the other, rather than mixing them, otherwise you can end up with two proxies for the same target bean.
I've added a fix to AbstractMethodSecurityMetadataSource to use AopProxyUtils.ultimateTargetClass to test for the case where the security interceptor has been applied to a proxy when it is identifying the target class of the invocation. A better solution might be to use as an alternative:
<sec:protect-pointcut expression='execution(* com.bsb.incubator.interceptor.*.*(..))' access='ROLE_USER'/>
as this will result in a single proxy being used, which is more compatible with the <aop:config /> approach..