If I have 2 classes,
public abstract class AbstractService {
public void doSmth() {...}
}
@Secured("SECURE")
@Service
public class Service extends AbstractService {
...
}
and when I call service.doSmth(), security is not applied, because method org.springframework.security.authorization.method.SecuredAuthorizationManager.SecuredAuthorizationManagerRegistry#findSecuredAnnotation will try to get annotation of AbstractService, not of Service.
See the 6 version of this method https://github.com/spring-projects/spring-security/blob/main/core/src/main/java/org/springframework/security/authorization/method/SecuredAuthorizationManager.java This bug was fixed there.
Comment From: abimael-turing
@artem103, I'm interested in addressing this issue. Could you assign it to me, please?
Comment From: artem103
@abimael-turing seems I can not assign it, probably I have no priveleges to do that
Comment From: abimael-turing
@artem103 No problem, I've already started working on it and I'll submit a pull request ASAP.
Comment From: abimael-turing
@artem103 and @spring-projects-issues, I completed the pull request, but the build is failing on GitHub due to deprecated Gradle features, which are incompatible with Gradle 8.0.
Comment From: jzheaux
Thanks again for filing this, @artem103. Based on this comment I'm going to close this ticket. If there is anything that I've missed, please comment in https://github.com/spring-projects/spring-security/issues/13783 where the original feature was requested.