Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEC-1826: Excessive (and misleading) logging in DelegatingMethodSecurityMetadataSource #2054

spring-projects-issues opened this issue Sep 23, 2011 · 1 comment


Copy link

@spring-projects-issues spring-projects-issues commented Sep 23, 2011

Dave Syer (Migrated from SEC-1826) said:

If you switch on global method security Spring Security adds a custom pointcut matcher and delegates to the DelegatingMethodSecurityMetadataSource. This code in that class logs every method in ebery bean in the context 9as far as I can tell) whether or not it is going to be intercepted:

            if (logger.isDebugEnabled()) {
                logger.debug("Adding security method [" + cacheKey + "] with attributes " + attributes);

So 99.99% of these logs have attributes= which according to the matcher means it does not match.

Could the log level be changed to TRACE and also the message changed to "Analyzing" or "Matching" instead of "Adding"?

Copy link

@spring-projects-issues spring-projects-issues commented Sep 24, 2011

Luke Taylor said:

An empty list should be treated the same as null, so I've changed the code accordingly and it will now only log methods which have security attributes.

Unfortunately, the way Spring initializes auto-proxying means that method information will be cached for beans which the advisor is not actually applied at all. Ideally we would be able to skip caching on initialization, when the pointcut is called to test whether the advisor should be applied to the bean, but I'm not sure how that could easily be done.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant