SEC-2974: Multiple pre post annotations fail silently #3183
Description
Juha Komulainen (Migrated from SEC-2974) said:
While @PreAuthorize and other pre post annotations were probably not designed to be used as meta-annotations, they are detected if used as such. This allows one to place multiple @PreAuthorize annotations on a single method.
@Retention(RetentionPolicy.RUNTIME)
@PreAuthorize("isAuthenticated()")
public @interface RequireAuthenticated { }
@Retention(RetentionPolicy.RUNTIME)
@PreAuthorize("hasRole('FOO')")
public @interface RequireFooRole { }
@RequireAuthenticated
@RequireFooRole
public void authenticatedMethod() { }PrePostAnnotationSecurityMetadataSource.findAnnotation calls AnnotationUtils.findAnnotation to look up the @PreAuthorize -annotation. That method will just pick the first matching annotation and silently ignore the rest, producing PreInvocationAttribute which only contains the expression of one annotation (technically it's undefined which annotation gets picked, but in practice it seems to be the first one).
Since the method declaration looks sensible, but the other annotation is ignored, this is a probable vulnerability. Would it be possible to either generalize PrePostAnnotationSecurityMetadataSource to accept multiple annotations and combine them into one rule or to be stricter about the defined annotations and fail-fast if more than one annotation is found?
See SPR-13015 for related discussion.