Closed
Description
Using Spring Security 6.4.4 (via Spring Boot 3.4.4)
Describe the bug
When a endpoint annotated with @AuthorizeReturnObject returns an object that has an object authorized with e.g. @PreAuthorize, ConcurrentModificationException is thrown when multiple requests come in parallel.
To Reproduce
See the sample repository below for a reproducible test case.
Expected behavior
Parallel requests should be handled without errors.
Sample
https://github.com/wbxz987/ConcurrentModificationException
The sample repository contains a test, that simulates multiple requests coming in parallel. The test fails because a ConcurrentModificationException is thrown.
Caused by: java.util.ConcurrentModificationException
at java.base/java.util.ArrayList.sort(ArrayList.java:1806)
at org.springframework.core.annotation.AnnotationAwareOrderComparator.sort(AnnotationAwareOrderComparator.java:111)
at org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory.proxy(AuthorizationAdvisorProxyFactory.java:168)
at org.springframework.security.authorization.method.AuthorizeReturnObjectMethodInterceptor.invoke(AuthorizeReturnObjectMethodInterceptor.java:61)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:184)
at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:727)
at org.example.concurrentmodificationexception.controller.Controller$$SpringCGLIB$$0.getModel(<generated>)
The test works when downgrading Spring Security to version 6.3.2, and breaks after this commit 0cab7c8