Skip to content

UniqueSecurityAnnotationScanner should consider annotation on target class level as fallback #16295

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
quaff opened this issue Dec 17, 2024 · 2 comments
Open

UniqueSecurityAnnotationScanner should consider annotation on target class level as fallback #16295

quaff opened this issue Dec 17, 2024 · 2 comments
Labels
status: waiting-for-triage An issue we've not yet triaged type: bug A general bug

Comments

@quaff
Copy link
Contributor

quaff commented Dec 17, 2024 

public abstract class AbstractController {

	@GetMapping("/get")
	public String get() {
		return "OK";
	}

}

@RestController
@Secured("USER")
public class DemoController extends AbstractController {

	/*
	public String get() {
		return super.get();
	}
	*/
}

demoController.get() is not protected by @Secured("USER"), we have to redefine it again.

I tried to fix it by adding

		annotations = findClosestClassAnnotations(targetClass, new HashSet<>());
		if (!annotations.isEmpty()) {
			return annotations;
		}

after

spring-security/core/src/main/java/org/springframework/security/core/annotation/UniqueSecurityAnnotationScanner.java

Lines 159 to 162 in b9f3a28

annotations = findClosestClassAnnotations(specificMethod.getDeclaringClass(), new HashSet<>());
if (!annotations.isEmpty()) {
return annotations;
}

but it broken GH-15352.
@quaff quaff added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Dec 17, 2024
@quaff
Copy link
Contributor Author

quaff commented Dec 17, 2024

Spring Security should skip intercepting @ExceptionHandler methods other than ignore annotations on target class.

@quaff quaff mentioned this issue Dec 17, 2024
Closed
@quaff
Copy link
Contributor Author

quaff commented Mar 18, 2025

@jzheaux Could you take a look? thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: waiting-for-triage An issue we've not yet triaged type: bug A general bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@quaff