SEC-1450: Replace use of ClassUtils.getMostSpecificMethod() in AbstractFallbackMethodDefinitionSource with AopUtils.getMostSpecificMethod() equivalent.

Ensures protect-pointcut expressions match methods with generic parameters.
2025-10-30 22:28:46 +00:00 · 2010-03-24 20:57:03 +00:00 · 2010-03-24 20:57:03 +00:00 · 472c1fac84
commit 472c1fac84
parent bf91f2ca67
2 changed files with 30 additions and 5 deletions
--- a/config/src/test/java/org/springframework/security/config/method/GlobalMethodSecurityBeanDefinitionParserTests.java
+++ b/config/src/test/java/org/springframework/security/config/method/GlobalMethodSecurityBeanDefinitionParserTests.java
@ -16,6 +16,8 @@ import org.springframework.context.ApplicationContext;
 import org.springframework.context.support.AbstractXmlApplicationContext;
 import org.springframework.context.support.StaticApplicationContext;
 import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.access.SecurityConfig;
 import org.springframework.security.access.annotation.BusinessService;
 import org.springframework.security.access.intercept.AfterInvocationProviderManager;
 import org.springframework.security.access.intercept.RunAsManagerImpl;
@ -30,6 +32,7 @@ import org.springframework.security.authentication.UsernamePasswordAuthenticatio
 import org.springframework.security.config.ConfigTestUtils;
 import org.springframework.security.config.PostProcessedMockUserDetailsService;
 import org.springframework.security.config.util.InMemoryXmlApplicationContext;
+import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.UserDetailsService;
@ -166,7 +169,7 @@ public class GlobalMethodSecurityBeanDefinitionParserTests {
                "     'execution(* org.springframework.security.access.annotation.BusinessService.*(..)) " +
                "       and not execution(* org.springframework.security.access.annotation.BusinessService.someOther(String)))' " +
                "               access='ROLE_USER'/>" +
-                "</global-method-security>" + ConfigTestUtils.AUTH_PROVIDER_XML
+                "</global-method-security>" + AUTH_PROVIDER_XML
        );
        target = (BusinessService) appContext.getBean("target");
        // String method should not be protected
@ -283,6 +286,20 @@ public class GlobalMethodSecurityBeanDefinitionParserTests {
                AUTH_PROVIDER_XML);
    }

+    // SEC-1450
+    @Test(expected=AuthenticationException.class)
+    @SuppressWarnings("unchecked")
+    public void genericsAreMatchedByProtectPointcut() throws Exception {
+        setContext(
+                "<b:bean id='target' class='org.springframework.security.config.method.GlobalMethodSecurityBeanDefinitionParserTests$ConcreteFoo'/>" +
+                "<global-method-security>" +
+                "   <protect-pointcut expression='execution(* org..*Foo.foo(..))' access='ROLE_USER'/>" +
+                "</global-method-security>" + AUTH_PROVIDER_XML
+        );
+        Foo foo = (Foo) appContext.getBean("target");
+        foo.foo(new SecurityConfig("A"));
+    }
+
    @Test
    public void runAsManagerIsSetCorrectly() throws Exception {
        StaticApplicationContext parent = new StaticApplicationContext();
@ -305,6 +322,14 @@ public class GlobalMethodSecurityBeanDefinitionParserTests {
    private void setContext(String context, ApplicationContext parent) {
        appContext = new InMemoryXmlApplicationContext(context, parent);
    }
+
+    interface Foo<T extends ConfigAttribute> {
+        void foo(T action);
+    }
+
+    public static class ConcreteFoo implements Foo<SecurityConfig> {
+        public void foo(SecurityConfig action) {
+        }
+    }
+
 }
-
-
--- a/core/src/main/java/org/springframework/security/access/method/AbstractFallbackMethodSecurityMetadataSource.java
+++ b/core/src/main/java/org/springframework/security/access/method/AbstractFallbackMethodSecurityMetadataSource.java
@ -3,8 +3,8 @@ package org.springframework.security.access.method;
 import java.lang.reflect.Method;
 import java.util.Collection;

+import org.springframework.aop.support.AopUtils;
 import org.springframework.security.access.ConfigAttribute;
-import org.springframework.util.ClassUtils;

 /**
 * Abstract implementation of {@link MethodSecurityMetadataSource} that supports both Spring AOP and AspectJ and
@ -29,7 +29,7 @@ public abstract class AbstractFallbackMethodSecurityMetadataSource extends Abstr
    public Collection<ConfigAttribute> getAttributes(Method method, Class<?> targetClass) {
        // The method may be on an interface, but we need attributes from the target class.
        // If the target class is null, the method will be unchanged.
-        Method specificMethod = ClassUtils.getMostSpecificMethod(method, targetClass);
+        Method specificMethod = AopUtils.getMostSpecificMethod(method, targetClass);
        // First try is the method in the target class.
        Collection<ConfigAttribute> attr = findAttributes(specificMethod, targetClass);
        if (attr != null) {