Method security annotations, like PreAuthorize, not working on private methods after upgrade to 6.4
#16967
Labels
Comments
betalb
added
status: waiting-for-triage
|
I tried to briefly check spring-core AnnotationsScanner and it looks like it allowed private methods, but only if method being called is defined on targetClass and not on parent classes. And it seems that sping-security version has check for this case but it breaks in scenario of aspectj compilation. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Method security annotations, like
PreAuthorize, not working on private methods after upgrade to spring-security 6.4. This only works in case of AspectJ compile time weaving (probably load time should work too, but I was not able to create workable example).Those annotations worked in spring-security 6.3 and earlier.
I see that there was some refactoring in annotation processing code, and it seems that linked method is explicitly rejecting private class members:
spring-security/core/src/main/java/org/springframework/security/core/annotation/UniqueSecurityAnnotationScanner.java
Line 228 in 79bacf8
To Reproduce
Create project that has dependency on spring-security-aspects, aspectjrt and uses aspectj-maven-plugin for compile-time weaving.
Create Rest endpoint that has PreAuthorize annotation on private method
Expected behavior
User should see 403 error, but instead he sees a response
["nothing"]Sample
self-invocation.zip
In attached sample if modifier is changed from private to protected on method
name.vitalii.selfinvocation.Endpoint#doGet, app starts to work as expected.The text was updated successfully, but these errors were encountered: