search

spring-projects / spring-security

Spring Security
http://spring.io/projects/spring-security
Apache License 2.0
8.45k stars 5.76k forks source link

5.8.12: @Secured annotation on subclasses is not read by SecuredAuthorizationManager when method in superclass was called #15002

Open artem103 opened 2 weeks ago

artem103 commented 2 weeks ago

If I have 2 classes,

public abstract class AbstractService {
    public void doSmth() {...}
}

@Secured("SECURE")
@Service
public class Service extends AbstractService {
...
}

and when I call service.doSmth(), security is not applied, because method org.springframework.security.authorization.method.SecuredAuthorizationManager.SecuredAuthorizationManagerRegistry#findSecuredAnnotation will try to get annotation of AbstractService, not of Service.

See the 6 version of this method https://github.com/spring-projects/spring-security/blob/main/core/src/main/java/org/springframework/security/authorization/method/SecuredAuthorizationManager.java This bug was fixed there.

abimael-turing commented 2 weeks ago

@artem103, I'm interested in addressing this issue. Could you assign it to me, please?

artem103 commented 2 weeks ago

@abimael-turing seems I can not assign it, probably I have no priveleges to do that

abimael-turing commented 2 weeks ago

@artem103 No problem, I've already started working on it and I'll submit a pull request ASAP.

abimael-turing commented 1 week ago

@artem103 and @spring-projects-issues, I completed the pull request, but the build is failing on GitHub due to deprecated Gradle features, which are incompatible with Gradle 8.0.

image