SEC-1768: Use AopProxyUtils.ultimateTargetClass to cater for situation where security interceptor is applied to a proxy.

2025-06-08 05:02:13 +00:00 · 2011-06-18 14:46:28 +01:00 · 2011-06-18 14:46:28 +01:00 · cb7a94af88
commit cb7a94af88
parent 9b8d2719a6
1 changed files with 7 additions and 1 deletions
--- a/core/src/main/java/org/springframework/security/access/method/AbstractMethodSecurityMetadataSource.java
+++ b/core/src/main/java/org/springframework/security/access/method/AbstractMethodSecurityMetadataSource.java
@ -15,6 +15,7 @@

 package org.springframework.security.access.method;

+import org.springframework.aop.framework.AopProxyUtils;
 import org.springframework.security.access.ConfigAttribute;

 import org.aopalliance.intercept.MethodInvocation;
@ -52,7 +53,12 @@ public abstract class AbstractMethodSecurityMetadataSource implements MethodSecu
            Class<?> targetClass = null;

            if (target != null) {
-                targetClass = target instanceof Class<?> ? (Class<?>)target : target.getClass();
+                targetClass = target instanceof Class<?> ? (Class<?>)target : AopProxyUtils.ultimateTargetClass(target);
+
+                if (targetClass == null) {
+                    // See SPR-7447. TODO: Only required for Spring < 3.0.4
+                    targetClass = target.getClass();
+                }
            }

            return getAttributes(mi.getMethod(), targetClass);