Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Spring Security 6 combined with AspectJ weaving of spring-security-aspects executes PreAuthorize twice #13160

Closed
rolevinks opened this issue May 12, 2023 · 3 comments
Closed

Spring Security 6 combined with AspectJ weaving of spring-security-aspects executes PreAuthorize twice #13160

rolevinks opened this issue May 12, 2023 · 3 comments
Assignees
@jzheaux
Labels
in: config An issue in spring-security-config type: bug A general bug
Milestone
5.8.4

Comments

@rolevinks
Copy link

rolevinks commented May 12, 2023
edited
Loading

Describe the bug
We just updated Spring Security to version 6 in our project , and replaced the @EnableGlobalMethodSecurity with @EnableMethodSecurity, both with adviceMode ASPECTJ. Furthermore, we have a @PostFilter on some getters in our entities, so we also use the aspectj maven plugin.
Previously, this worked perfectly, but since the upgrade, the permission checks on methods in components are executed twice instead of once.

To Reproduce
See attached project.

Expected behavior
Permission checks are executed once.

Sample
test.zip
@rolevinks rolevinks added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels May 12, 2023
@jzheaux
Copy link
Contributor

jzheaux commented May 12, 2023
edited
Loading

Thanks for the report, @rolevinks.

It appears this is due to the fact that the AOP Advisor bean is registered even when ASPECTJ mode is activated.

You can address this in your application for the moment by changing the annotation to:

@EnableMethodSecurity(prePostEnabled = false, mode = ASPECTJ)

And then publishing the following bean:

@Bean 
fun preAuthorizeAuthorizationMethodInterceptor(expressionHandler: MethodSecurityExpressionHandler): MethodInterceptor {
    val authorizationManager = PreAuthorizeAuthorizationManager()
    authorizationManager.setExpressionHandler(expressionHandler);
    return AuthorizationManagerBeforeMethodInterceptor.preAuthorize(authorizationManager);
}

The reason this works is because it is publishing the same bean as a MethodInterceptor instead of an Advisor, meaning that Spring doesn't try picking it up as an AOP Advisor as well.

To fix this passively in Spring Security may take a bit of research; however, I believe one way to address it is to publish a different configuration class when the advice mode is ASPECTJ. In that case, the components can be registered as MethodInterceptors instead.

@jzheaux jzheaux self-assigned this May 12, 2023
@jzheaux jzheaux added in: config An issue in spring-security-config and removed status: waiting-for-triage An issue we've not yet triaged labels May 12, 2023
jzheaux added a commit to jzheaux/spring-security that referenced this issue May 12, 2023
@jzheaux
Only Register as Advisor in Proxy Mode
1298dee 
Closes spring-projectsgh-13160
@rolevinks
Copy link
Author

Hi Josh,

Thanks for the quick reply, the workaround will do for now.

@jzheaux jzheaux mentioned this issue May 19, 2023
Closed
@jzheaux jzheaux added this to the 5.8.4 milestone May 19, 2023
@marcusdacoregio
Copy link
Contributor

marcusdacoregio commented Jun 19, 2023
edited by jzheaux
Loading

Just a heads up that this has been reopened for 6.0.x and 6.1.x

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: config An issue in spring-security-config type: bug A general bug
Projects
Spring Security Team
Status: Done
Milestone
5.8.4
Development

No branches or pull requests
3 participants
@jzheaux @marcusdacoregio @rolevinks