Spring Security SecuredAnnotationSecurityMetadataSource cannot infer annotation class when annotationMetadataExtractor is provided as a lamda expression

Summary

In the following example the constructor of the SecuredAnnotationSecurityMetadataSource cannot understand the type of the annotation and instead of assigning the value "MyCustomAnnotation" in the annotationType field it assigns the value "Annotation" which later does not allow the org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor to be triggered for any method that is annotated with the "MyCustomAnnotation" annotation.

public class CustomMethodSecurityConfiguration extends GlobalMethodSecurityConfiguration {
    @Override
    protected MethodSecurityMetadataSource customMethodSecurityMetadataSource() {
        return new SecuredAnnotationSecurityMetadataSource(annotationMetaDataExtractor());
    }
    private AnnotationMetadataExtractor<MyCustomAnnotation> annotationMetaDataExtractor() {
         return (MyCustomAnnotation securityAnnotation) -> Collections.singleton((ConfigAttribute) () -> "test");
    }   
}

When rewriting the annotationMetaDataExtractor method without lambdas, the annotationType field of the SecuredAnnotationSecurityMetadataSource is correctly set to "MyCustomAnnotation" and the interceptor is triggered as expected

 private AnnotationMetadataExtractor<MyCustomAnnotation> annotationMetaDataExtractor() {
     return new AnnotationMetadataExtractor<MyCustomAnnotation>() {
        @Override
        public Collection<? extends ConfigAttribute> extractAttributes(MyCustomAnnotation securityAnnotation) {
            return Collections.singleton((ConfigAttribute) () -> "test");
        }
    };
 }

Actual Behavior

org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor not to be triggered for any method that is annotated with the "MyCustomAnnotation" annotation.

Expected Behavior

Any method annotation with @MyCustomAnnotation should be picked up by the interceptor (and apply the security logic)

Version

spring-security-code: 5.5.3

Comment From: eleftherias

Thanks for reaching out and providing a workaround @CLS-CLS. Unfortunately this is a known limitation of using lambdas with generic types. You can track the related Spring Framework issue https://github.com/spring-projects/spring-framework/issues/17130.

Comment From: CLS-CLS

May i propose until the issues is fixed (which it seems it will take a lot of time), to update the javadoc to warn the user not to use lambdas? At least that way will not be afraid to use lambdas in all places. i.e on the existing javadoc of SecuredAnnotationSecurityMetadataSource add an implementation note

/**
 * Sources method security metadata from Spring Security's {@link Secured} annotation.
 * <p>
 * Can also be used with custom security annotations by injecting an
 * {@link AnnotationMetadataExtractor}. The annotation type will then be obtained from the
 * generic parameter type supplied to this interface
 * @ImplNote use caution when providing an extractor as a lambda function because the generic type is not picked up

Comment From: eleftherias

I think adding a note to the Javadoc is reasonable @CLS-CLS. Would you like to submit a PR for that? Note that we don't use the @ImplNote tag in this project.