Prevent reflective invocation of private methods in web dispatcher

Signed-off-by: yongjunhong <yongjunh@apache.org>

spring-web/src/main/java/org/springframework/web/method/support/InvocableHandlerMethod.java

@@ -18,6 +18,7 @@ package org.springframework.web.method.support;
 
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
+import java.lang.reflect.Modifier;
 import java.util.Arrays;
 import java.util.Map;
 import java.util.Objects;
@@ -35,6 +36,7 @@ import org.jspecify.annotations.Nullable;
 import reactor.core.publisher.Mono;
 import reactor.core.publisher.SynchronousSink;
 
+import org.springframework.aop.support.AopUtils;
 import org.springframework.context.MessageSource;
 import org.springframework.core.CoroutinesUtils;
 import org.springframework.core.DefaultParameterNameDiscoverer;
@@ -58,6 +60,7 @@ import org.springframework.web.method.HandlerMethod;
  * @author Rossen Stoyanchev
  * @author Juergen Hoeller
  * @author Sebastien Deleuze
+ * @author Yongjun Hong
  * @since 3.1
  */
 public class InvocableHandlerMethod extends HandlerMethod {
@@ -246,6 +249,16 @@ public class InvocableHandlerMethod extends HandlerMethod {
 	 */
 	protected @Nullable Object doInvoke(@Nullable Object... args) throws Exception {
 		Method method = getBridgedMethod();
+		Object bean = getBean();
+
+		if (AopUtils.isCglibProxy(bean) && Modifier.isPrivate(method.getModifiers())) {
+			throw new IllegalStateException(
+					"Cannot invoke private method [" + method.getName() + "] on a CGLIB proxy. " +
+							"Handler methods on proxied components must be public or protected. " +
+							"Change method visibility or use interface-based JDK proxies if applicable."
+			);
+		}
+
 		try {
 			if (KotlinDetector.isKotlinType(method.getDeclaringClass())) {
 				if (KotlinDetector.isSuspendingFunction(method)) {

spring-web/src/test/java/org/springframework/web/method/support/InvocableHandlerMethodTests.java

@@ -22,6 +22,7 @@ import org.jspecify.annotations.Nullable;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 
+import org.springframework.aop.framework.ProxyFactory;
 import org.springframework.core.MethodParameter;
 import org.springframework.web.bind.support.WebDataBinderFactory;
 import org.springframework.web.context.request.NativeWebRequest;
@@ -42,6 +43,7 @@ import static org.assertj.core.api.Assertions.assertThatRuntimeException;
  * Tests for {@link InvocableHandlerMethod}.
  *
  * @author Rossen Stoyanchev
+ * @author Yongjun Hong
  */
 class InvocableHandlerMethodTests {
 
@@ -168,6 +170,21 @@ class InvocableHandlerMethodTests {
 			.withMessageContaining("Illegal argument");
 	}
 
+	@Test
+	void testPrivateMethodOnCglibProxyThrowsException() throws Exception {
+		TestController target = new TestController();
+		ProxyFactory proxyFactory = new ProxyFactory(target);
+		proxyFactory.setProxyTargetClass(true);
+		Object proxy = proxyFactory.getProxy();
+
+		Method privateMethod = TestController.class.getDeclaredMethod("privateMethod");
+		InvocableHandlerMethod handlerMethod = new InvocableHandlerMethod(proxy, privateMethod);
+
+		assertThatIllegalStateException()
+				.isThrownBy(() -> handlerMethod.invokeForRequest(null, null))
+				.withMessageContaining("Cannot invoke private method [privateMethod] on a CGLIB proxy");
+	}
+
 	private InvocableHandlerMethod getInvocable(Class<?>... argTypes) {
 		Method method = ResolvableMethod.on(Handler.class).argTypes(argTypes).resolveMethod();
 		InvocableHandlerMethod handlerMethod = new InvocableHandlerMethod(new Handler(), method);
@@ -216,4 +233,12 @@ class InvocableHandlerMethodTests {
 		}
 	}
 
+	private static class TestController {
+		public TestController() {
+			// Default constructor for proxy creation
+		}
+
+		private void privateMethod() { }
+	}
+
 }