This issue is similar to https://github.com/spring-projects/spring-security/issues/13132 But for repository methods going through proxies.
Example code :
@NoRepositoryBean
@RepositoryRestResource
public interface DefaultCrudRepository<T, K> extends JpaRepository<T, K> {
@PreAuthorize(SUPPORT_ROLE_RULE_FOR_CRUD)
@Override
@RestResource
@NonNull
<S extends T> S save(@NonNull S entity);
}
Then in AuthorizationAnnotationUtils#findUniqueAnnotation, the mergedAnnotations contains 2 PreAuthorize :
Which results in an AnnotationConfigurationException
Comment From: nightswimmings
Looks like a rationale decision
Comment From: jzheaux
@hqrd Could you please do me the favor of creating a reproducer?
Comment From: nightswimmings
I think I misunderstood the poster, because now we are facing this. The issue is not about multiple annotation inheritance which is forbidden by design now, but the fact that AuthorizationAnnotationUtils.findMergedAnnotations is detecting as duplicate the same exact annotation on same class (as different instances). In our case this happens exactly in the same scenario, when our child repository is a @RestResourceRepository and contains a @PreAuthorize in save() method. Indeed our subinterface is called SecuredRepository and its whole purpose is creating an abstraction so all saves() are Preauthorized. Theres no other @Preauthorize in the class hierarchy in either custom or spring classes that we are aware of
Comment From: saugion
Hi @jzheaux, i would say this is the same as https://github.com/spring-projects/spring-security/issues/13490. The user that opened the issue also provided a very basic reproducer