From 96697472459f51cfb9be5f0557a78cfb5e10eed4 Mon Sep 17 00:00:00 2001
From: Florian Cramer <f.cramer@superus.de>
Date: Wed, 10 May 2023 00:25:31 +0200
Subject: [PATCH 1/2] Ignore synthetic methods when checking for duplicate
 annotations

Closes gh-13132
---
 .../method/AuthorizationAnnotationUtils.java  | 13 +++++++
 .../AuthorizationAnnotationUtilsTests.java    | 39 +++++++++++++++++++
 2 files changed, 52 insertions(+)
 create mode 100644 core/src/test/java/org/springframework/security/authorization/method/AuthorizationAnnotationUtilsTests.java

diff --git a/core/src/main/java/org/springframework/security/authorization/method/AuthorizationAnnotationUtils.java b/core/src/main/java/org/springframework/security/authorization/method/AuthorizationAnnotationUtils.java
index 582436ba17..70eabb2efc 100644
--- a/core/src/main/java/org/springframework/security/authorization/method/AuthorizationAnnotationUtils.java
+++ b/core/src/main/java/org/springframework/security/authorization/method/AuthorizationAnnotationUtils.java
@@ -17,6 +17,7 @@
 package org.springframework.security.authorization.method;
 
 import java.lang.annotation.Annotation;
+import java.lang.reflect.Executable;
 import java.lang.reflect.Method;
 
 import org.springframework.core.annotation.AnnotationConfigurationException;
@@ -96,6 +97,10 @@ final class AuthorizationAnnotationUtils {
 			Class<A> annotationType) {
 		boolean alreadyFound = false;
 		for (MergedAnnotation<Annotation> mergedAnnotation : mergedAnnotations) {
+			if (isSynthetic(mergedAnnotation.getSource())) {
+				continue;
+			}
+
 			if (mergedAnnotation.getType() == annotationType) {
 				if (alreadyFound) {
 					return true;
@@ -106,6 +111,14 @@ final class AuthorizationAnnotationUtils {
 		return false;
 	}
 
+	private static boolean isSynthetic(Object object) {
+		if (object instanceof Executable) {
+			return ((Executable) object).isSynthetic();
+		}
+
+		return false;
+	}
+
 	private AuthorizationAnnotationUtils() {
 
 	}
diff --git a/core/src/test/java/org/springframework/security/authorization/method/AuthorizationAnnotationUtilsTests.java b/core/src/test/java/org/springframework/security/authorization/method/AuthorizationAnnotationUtilsTests.java
new file mode 100644
index 0000000000..480c2860ec
--- /dev/null
+++ b/core/src/test/java/org/springframework/security/authorization/method/AuthorizationAnnotationUtilsTests.java
@@ -0,0 +1,39 @@
+package org.springframework.security.authorization.method;
+
+import java.lang.reflect.Method;
+import java.lang.reflect.Proxy;
+import java.util.List;
+
+import org.junit.jupiter.api.Test;
+import org.springframework.security.access.prepost.PreAuthorize;
+
+import static org.assertj.core.api.Assertions.assertThatNoException;
+
+/**
+ * Tests for {@link AuthorizationAnnotationUtils}
+ */
+class AuthorizationAnnotationUtilsTests {
+
+	@Test // gh-13132
+	public void annotationsOnSyntheticMethodsShouldNotTriggerAnnotationConfigurationException()
+			throws NoSuchMethodException {
+		StringRepository proxy =
+				(StringRepository) Proxy.newProxyInstance(Thread.currentThread().getContextClassLoader(),
+						new Class[] {StringRepository.class}, (p, m, args) -> null);
+		Method method = proxy.getClass().getDeclaredMethod("findAll");
+		assertThatNoException()
+				.isThrownBy(() -> AuthorizationAnnotationUtils.findUniqueAnnotation(method, PreAuthorize.class));
+	}
+
+	private interface BaseRepository<T> {
+
+		Iterable<T> findAll();
+	}
+
+	private interface StringRepository extends BaseRepository<String> {
+
+		@Override
+		@PreAuthorize("hasRole('someRole')")
+		List<String> findAll();
+	}
+}

From 05ef215b88e3ea3742f5f80e7c92eb5ee6648f06 Mon Sep 17 00:00:00 2001
From: Josh Cummings <josh.cummings@gmail.com>
Date: Wed, 10 May 2023 18:09:54 -0600
Subject: [PATCH 2/2] Align Formatting

Issue gh-13132
---
 .../method/AuthorizationAnnotationUtils.java  |  2 +-
 .../AuthorizationAnnotationUtilsTests.java    | 29 +++++++++++++++----
 2 files changed, 25 insertions(+), 6 deletions(-)

diff --git a/core/src/main/java/org/springframework/security/authorization/method/AuthorizationAnnotationUtils.java b/core/src/main/java/org/springframework/security/authorization/method/AuthorizationAnnotationUtils.java
index 70eabb2efc..87d425f2f4 100644
--- a/core/src/main/java/org/springframework/security/authorization/method/AuthorizationAnnotationUtils.java
+++ b/core/src/main/java/org/springframework/security/authorization/method/AuthorizationAnnotationUtils.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
diff --git a/core/src/test/java/org/springframework/security/authorization/method/AuthorizationAnnotationUtilsTests.java b/core/src/test/java/org/springframework/security/authorization/method/AuthorizationAnnotationUtilsTests.java
index 480c2860ec..d37423ca23 100644
--- a/core/src/test/java/org/springframework/security/authorization/method/AuthorizationAnnotationUtilsTests.java
+++ b/core/src/test/java/org/springframework/security/authorization/method/AuthorizationAnnotationUtilsTests.java
@@ -1,3 +1,19 @@
+/*
+ * Copyright 2002-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package org.springframework.security.authorization.method;
 
 import java.lang.reflect.Method;
@@ -5,6 +21,7 @@ import java.lang.reflect.Proxy;
 import java.util.List;
 
 import org.junit.jupiter.api.Test;
+
 import org.springframework.security.access.prepost.PreAuthorize;
 
 import static org.assertj.core.api.Assertions.assertThatNoException;
@@ -15,11 +32,10 @@ import static org.assertj.core.api.Assertions.assertThatNoException;
 class AuthorizationAnnotationUtilsTests {
 
 	@Test // gh-13132
-	public void annotationsOnSyntheticMethodsShouldNotTriggerAnnotationConfigurationException()
-			throws NoSuchMethodException {
-		StringRepository proxy =
-				(StringRepository) Proxy.newProxyInstance(Thread.currentThread().getContextClassLoader(),
-						new Class[] {StringRepository.class}, (p, m, args) -> null);
+	void annotationsOnSyntheticMethodsShouldNotTriggerAnnotationConfigurationException() throws NoSuchMethodException {
+		StringRepository proxy = (StringRepository) Proxy.newProxyInstance(
+				Thread.currentThread().getContextClassLoader(), new Class[] { StringRepository.class },
+				(p, m, args) -> null);
 		Method method = proxy.getClass().getDeclaredMethod("findAll");
 		assertThatNoException()
 				.isThrownBy(() -> AuthorizationAnnotationUtils.findUniqueAnnotation(method, PreAuthorize.class));
@@ -28,6 +44,7 @@ class AuthorizationAnnotationUtilsTests {
 	private interface BaseRepository<T> {
 
 		Iterable<T> findAll();
+
 	}
 
 	private interface StringRepository extends BaseRepository<String> {
@@ -35,5 +52,7 @@ class AuthorizationAnnotationUtilsTests {
 		@Override
 		@PreAuthorize("hasRole('someRole')")
 		List<String> findAll();
+
 	}
+
 }