From cb7a94af88330107c43a3de1c0c2b14b62743e9d Mon Sep 17 00:00:00 2001
From: Luke Taylor <luke.taylor@springsource.com>
Date: Sat, 18 Jun 2011 14:46:28 +0100
Subject: [PATCH] SEC-1768: Use AopProxyUtils.ultimateTargetClass to cater for
 situation where security interceptor is applied to a proxy.

---
 .../method/AbstractMethodSecurityMetadataSource.java      | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/core/src/main/java/org/springframework/security/access/method/AbstractMethodSecurityMetadataSource.java b/core/src/main/java/org/springframework/security/access/method/AbstractMethodSecurityMetadataSource.java
index 63ec450342..76f9c277ba 100644
--- a/core/src/main/java/org/springframework/security/access/method/AbstractMethodSecurityMetadataSource.java
+++ b/core/src/main/java/org/springframework/security/access/method/AbstractMethodSecurityMetadataSource.java
@@ -15,6 +15,7 @@
 
 package org.springframework.security.access.method;
 
+import org.springframework.aop.framework.AopProxyUtils;
 import org.springframework.security.access.ConfigAttribute;
 
 import org.aopalliance.intercept.MethodInvocation;
@@ -52,7 +53,12 @@ public abstract class AbstractMethodSecurityMetadataSource implements MethodSecu
             Class<?> targetClass = null;
 
             if (target != null) {
-                targetClass = target instanceof Class<?> ? (Class<?>)target : target.getClass();
+                targetClass = target instanceof Class<?> ? (Class<?>)target : AopProxyUtils.ultimateTargetClass(target);
+
+                if (targetClass == null) {
+                    // See SPR-7447. TODO: Only required for Spring < 3.0.4
+                    targetClass = target.getClass();
+                }
             }
 
             return getAttributes(mi.getMethod(), targetClass);