Describe the bug
When using @PreAuthorize("isAuthenticated()") on a Controller that inherits from a base class, where both controller classes define methods with a @RequestMapping, dependencies that should be injected through constructor injection are null.
Someting seems to be shaky with 'Spring Method Security' and Spring DI'...
To Reproduce Consider the following sample controller:
@RestController
@PreAuthorize("isAuthenticated()")
@RequestMapping("test")
internal class SampleController(greetingService: GreetingService) : BaseController(greetingService) {
@RequestMapping("bar")
fun bar(): String {
return "Bar"
}
}
internal abstract class BaseController(private val greetingService: GreetingService) {
@RequestMapping("foo")
fun foo(): String {
return greetingService.greet("Foo")
}
}
@Service
internal class GreetingService {
fun greet(input: String): String {
return "Hello $input"
}
}
When calling the endpoint test/foo from the abstract controller class, a NullPointerException is raised on line 24 because greetingService is null.
When either the PreAuthorize annotation (on line 9) or the method bar on the concrete controller class are commented out, everything works correctly.
Expected behavior
Injection of dependencies correctly works together with @PreAutorize in inherited controller classes.
Sample https://github.com/cbossi/spring-npe-reproduction
Comment From: evgeniycheban
I can take a look.
Comment From: jzheaux
Thanks, @evgeniycheban. Don't hesitate to reach out with questions.
Comment From: evgeniycheban
@cbossi The method foo should be open so that it can be proxied.
Comment From: cbossi
@evgeniycheban indeed this helps, thanks a lot.
It's plausible that a method has to be open in order to be proxied, but it's interesting that this seems to only be necessary for methods of inherited classes. The method bar in the example is not open as well, and moreover the whole class SampleController is not open...
If somehow possible, it would be very helpful to get a descriptive error message in those cases.