Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AuthorizationAnnotationUtils.findUniqueAnnotation broken for inherithed repository methods #13234

Closed
hqrd opened this issue May 26, 2023 · 4 comments
Closed

AuthorizationAnnotationUtils.findUniqueAnnotation broken for inherithed repository methods #13234

hqrd opened this issue May 26, 2023 · 4 comments
Assignees
@jzheaux
Labels
in: core An issue in spring-security-core
Milestone
6.4.0-M2

Comments

@hqrd
Copy link

hqrd commented May 26, 2023
edited
Loading

This issue is similar to #13132
But for repository methods going through proxies.

Example code :

@NoRepositoryBean
@RepositoryRestResource
public interface DefaultCrudRepository<T, K> extends JpaRepository<T, K> {
	@PreAuthorize(SUPPORT_ROLE_RULE_FOR_CRUD)
	@Override
	@RestResource
	@NonNull
	<S extends T> S save(@NonNull S entity);

}

Then in AuthorizationAnnotationUtils#findUniqueAnnotation, the mergedAnnotations contains 2 PreAuthorize :
image

Which results in an AnnotationConfigurationException
@hqrd hqrd added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels May 26, 2023
@nightswimmings
Copy link

Looks like a rationale decision

image

@jzheaux
Copy link
Contributor

jzheaux commented Jul 3, 2023

@hqrd Could you please do me the favor of creating a reproducer?

@jzheaux jzheaux self-assigned this Jul 3, 2023
@jzheaux jzheaux added in: core An issue in spring-security-core and removed status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Jul 3, 2023
@nightswimmings
Copy link

nightswimmings commented Jul 17, 2023
edited
Loading

I think I misunderstood the poster, because now we are facing this. The issue is not about multiple annotation inheritance which is forbidden by design now, but the fact that AuthorizationAnnotationUtils.findMergedAnnotations is detecting as duplicate the same exact annotation on same class (as different instances). In our case this happens exactly in the same scenario, when our child repository is a @RestResourceRepository and contains a @PreAuthorize in save() method. Indeed our subinterface is called SecuredRepository and its whole purpose is creating an abstraction so all saves() are Preauthorized. Theres no other @PreAuthorize in the class hierarchy in either custom or spring classes that we are aware of

@saugion
Copy link

saugion commented Jul 17, 2023
edited
Loading

Hi @jzheaux, i would say this is the same as #13490. The user that opened the issue also provided a very basic reproducer

@jzheaux jzheaux mentioned this issue May 30, 2024
Closed
@jzheaux jzheaux added this to the 6.4.0-M2 milestone Jul 18, 2024
jzheaux added a commit that referenced this issue Jul 31, 2024
@jzheaux
Polish Annotation Test
77bce14 
This new arrangement of the test better matches the class
hierarchy described by the original ticket.

Issue gh-13234
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: core An issue in spring-security-core
Projects
Spring Security Team
Archived in project
Milestone
6.4.0-M2
Development

No branches or pull requests
4 participants
@jzheaux @saugion @nightswimmings @hqrd