Method Security does not switch to Interface Proxies for final Classes

[rwinch]

If Spring Security's method security is used on a final class that implements an interface it fails. Instead it should create an interface based proxy

For example:

public interface BankAccountService {
	BankAccount findById(int id);
}

@Service
public final class BankAccountServiceImpl implements BankAccountService {
	@PostAuthorize("returnObject?.owner == authentication?.name")
	@Override
	public BankAccount findById(int id) {
		return null;
	}
}

@SpringBootApplication
@EnableMethodSecurity
public class BankAccountApplication {

	public static void main(String[] args) {
		SpringApplication.run(BankAccountApplication.class, args);
	}

}

// fails due to final class being proxied as class based proxy instead of interface based proxy
@SpringBootTest
class BankAccountServiceTest {
	@Autowired
	BankAccountService accounts;

	@Test
	void loads() {}
}

[rwinch]

cc @jzheaux

[evgeniycheban]

Hello, @rwinch @jzheaux can I work on this?

[jzheaux]

Hi, @evgeniycheban, yes, thank you!

[jzheaux]

@evgeniycheban, please confirm the earliest release where this bug appears (possibly 6.3.x) and base your PR off that branch.

[evgeniycheban]

Hello, @jzheaux @rwinch I have tested this issue using spring-boot versions 3.3.9-3.4.4 and spring-security 6.4.1-6.4.4, and I can confirm this behaviour, the reason for that is that spring-boot forces AutoProxyRegistrar to use CGLIB proxies in AopAutoConfiguration by having set spring.aop.proxy-target-class property by default to true, setting this property to false solves this problem. I would personally expect AutoProxyRegistrar to fallback to interface-based proxy if the class being proxied is final. So this is how spring-boot configures proxying mechanism by default.