SEC-3049: Adding @Validated annotation creates Proxy when in AspectJ mode #3215
Comments
|
Craig Chapman said: Note that it is the creation of MethodValidationPostProcessor bean and @validated annotation that causes the class to be proxied. MethodValidationPostProcessor is required for JSR-303 method parameter validation... @Bean
public MethodValidationPostProcessor methodValidationPostProcessor() {
return new MethodValidationPostProcessor();
}It may be that not much can be done about this issue and that it is deemed as misconfiguration but it should probably be documented. |
|
Rob Winch said: craigchapman1975 Thanks for the report. Is this causing any problems with the application? Spring Security only controls if Spring Security is using aspectj or proxying the class...it cannot control what other parts of your configuration are doing to the objects. If there are no problematic side effects, I think this is a works as designed. If your application is no longer being secured properly, then we have something we need to sort out. |
|
Craig Chapman said: Hi Rob, There are no security side effects as far as I can tell, though I haven't spent much time investigating. I'm inclined to agree with you that it is as designed and just something to be mindful of when using AspectJ mode. Cheers, |
|
Rob Winch said: Thanks In light of our conversation, I'm resolving this as works as designed |
spring-projects-issues
added
in: config
rwinch
added
the
status: declined
Craig Chapman (Migrated from SEC-3049) said:
When configuring Global Method Security and/or Transaction Management in AspectJ mode, the advised class is not created as a proxy. However, if you wish to then add JSR-303 validation to the advised class by adding @validated annotation, the class is then proxied without warning.
See attached sample that demonstrates this and note that I am using Spring Security version 4.0.2.CI-SNAPSHOT due to SEC-3005.
The text was updated successfully, but these errors were encountered: