Using Spring ACLs with @PreAuthorize annotations on interfaces that use Generics doesn't seem to work.
For instance; I have a generic interface;
public interface MyService<T> { @PreAuthorize("hasPermission(#objectToProtect, 'WRITE')") void doStuff(T objectToProtect, UserIdentity... user); }
And implementation;
public class MyServiceImpl implements MyService<MyObject> { @Override public synchronized void doStuff(MyObject objectToProtect, UserIdentity... userIdentity) {
I can see that PrePostAnnotationSecurityMetadataSource picking up annotations for the implementation, however it looks like it gets lost in the AOP going further and is never used when the acutal method is called. It works if I add annotation to a specific implementation (i.e. About the doStuff method in MyServiceImpl).
If I don't use generics in my interface and use something like Object , it seems to work fine too. So this is a bug in the Spring / Spring Security ACL or we cannot use generics and expect them to be proxied.
My Spring config for annotations is as follows:
<sec:global-method-security pre-post-annotations="enabled" proxy-target-class="true"> <sec:expression-handler ref="expressionHandler" /> </sec:global-method-security>
I am using the latest version of GA Spring (3.2.3) and Spring Security (3.1.4)
source share