Announcement Announcement Module
No announcement yet.
Spring Security ACL - @PreAuthorize Generics with an Interface - possible bug Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Security ACL - @PreAuthorize Generics with an Interface - possible bug

    Using Spring ACL with @PreAuthorize annotations on Interfaces which use Generics does not seem to work.

    Eg; I have an interface using generics;

    public interface MyService<T> {
        @PreAuthorize("hasPermission(#objectToProtect, 'WRITE')")
        void doStuff(T objectToProtect, UserIdentity... user);
    And an implementation;

    public class MyServiceImpl implements MyService<MyObject> {
      public synchronized void doStuff(MyObject objectToProtect, UserIdentity... userIdentity) {
        // Do some stuff here... THis should be protected, the authenticated user should have write permissions.
    I can see that PrePostAnnotationSecurityMetadataSource is picking up the annotations on the implementation, however it looks like its getting lost in the AOP passing further up and its never used when the acutal method is called. It works if I add the annotation to the concrete implementation (i.e. on the doStuff method in MyServiceImpl).

    If I dont use generics in my interface and use something like Object it seems to work fine too. So is this a bug in Spring/Spring Security ACL or can we not use generics and expect them to be proxied.

    My Spring config for the annotations looks like this;

       <sec:global-method-security pre-post-annotations="enabled" proxy-target-class="true">
            <sec:expression-handler ref="expressionHandler" />
    Also on stackoverflow;

    I'm using the latest GA version of Spring (3.2.3) and Spring Security (3.1.4)