5.8.12: @Secured annotation on subclasses is not read by SecuredAuthorizationManager when method in superclass was called

[artem103]

If I have 2 classes,

public abstract class AbstractService {
    public void doSmth() {...}
}

@Secured("SECURE")
@Service
public class Service extends AbstractService {
...
}

and when I call service.doSmth(), security is not applied, because method org.springframework.security.authorization.method.SecuredAuthorizationManager.SecuredAuthorizationManagerRegistry#findSecuredAnnotation will try to get annotation of AbstractService, not of Service.

See the 6 version of this method https://github.com/spring-projects/spring-security/blob/main/core/src/main/java/org/springframework/security/authorization/method/SecuredAuthorizationManager.java
This bug was fixed there.

[abimael-turing]

@artem103, I'm interested in addressing this issue. Could you assign it to me, please?

[artem103]

@abimael-turing seems I can not assign it, probably I have no priveleges to do that

[abimael-turing]

@artem103 No problem, I've already started working on it and I'll submit a pull request ASAP.

[abimael-turing]

@artem103 and @spring-projects-issues, I completed the pull request, but the build is failing on GitHub due to deprecated Gradle features, which are incompatible with Gradle 8.0.

[jzheaux]

Thanks again for filing this, @artem103. Based on this comment I'm going to close this ticket. If there is anything that I've missed, please comment in #13783 where the original feature was requested.