SEC-1826: Excessive (and misleading) logging in DelegatingMethodSecurityMetadataSource #2054

spring-issuemaster opened this Issue Sep 23, 2011 · 1 comment

1 participant


Dave Syer (Migrated from SEC-1826) said:

If you switch on global method security Spring Security adds a custom pointcut matcher and delegates to the DelegatingMethodSecurityMetadataSource. This code in that class logs every method in ebery bean in the context 9as far as I can tell) whether or not it is going to be intercepted:

            if (logger.isDebugEnabled()) {
                logger.debug("Adding security method [" + cacheKey + "] with attributes " + attributes);

So 99.99% of these logs have attributes= which according to the matcher means it does not match.

Could the log level be changed to TRACE and also the message changed to "Analyzing" or "Matching" instead of "Adding"?


Luke Taylor said:

An empty list should be treated the same as null, so I've changed the code accordingly and it will now only log methods which have security attributes.

Unfortunately, the way Spring initializes auto-proxying means that method information will be cached for beans which the advisor is not actually applied at all. Ideally we would be able to skip caching on initialization, when the pointcut is called to test whether the advisor should be applied to the bean, but I'm not sure how that could easily be done.

@spring-issuemaster spring-issuemaster added this to the 3.1.0 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment