From 472c1fac84a2bc08ee8084c000517fa2cdadbff4 Mon Sep 17 00:00:00 2001
From: Luke Taylor <luke.taylor@springsource.com>
Date: Wed, 24 Mar 2010 20:57:03 +0000
Subject: [PATCH] SEC-1450: Replace use of ClassUtils.getMostSpecificMethod()
 in AbstractFallbackMethodDefinitionSource with
 AopUtils.getMostSpecificMethod() equivalent.

Ensures protect-pointcut expressions match methods with generic parameters.
---
 ...thodSecurityBeanDefinitionParserTests.java | 31 +++++++++++++++++--
 ...tFallbackMethodSecurityMetadataSource.java |  4 +--
 2 files changed, 30 insertions(+), 5 deletions(-)

diff --git a/config/src/test/java/org/springframework/security/config/method/GlobalMethodSecurityBeanDefinitionParserTests.java b/config/src/test/java/org/springframework/security/config/method/GlobalMethodSecurityBeanDefinitionParserTests.java
index 416bba35a0..5b4c39c0d7 100644
--- a/config/src/test/java/org/springframework/security/config/method/GlobalMethodSecurityBeanDefinitionParserTests.java
+++ b/config/src/test/java/org/springframework/security/config/method/GlobalMethodSecurityBeanDefinitionParserTests.java
@@ -16,6 +16,8 @@ import org.springframework.context.ApplicationContext;
 import org.springframework.context.support.AbstractXmlApplicationContext;
 import org.springframework.context.support.StaticApplicationContext;
 import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.access.SecurityConfig;
 import org.springframework.security.access.annotation.BusinessService;
 import org.springframework.security.access.intercept.AfterInvocationProviderManager;
 import org.springframework.security.access.intercept.RunAsManagerImpl;
@@ -30,6 +32,7 @@ import org.springframework.security.authentication.UsernamePasswordAuthenticatio
 import org.springframework.security.config.ConfigTestUtils;
 import org.springframework.security.config.PostProcessedMockUserDetailsService;
 import org.springframework.security.config.util.InMemoryXmlApplicationContext;
+import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.UserDetailsService;
@@ -166,7 +169,7 @@ public class GlobalMethodSecurityBeanDefinitionParserTests {
                 "     'execution(* org.springframework.security.access.annotation.BusinessService.*(..)) " +
                 "       and not execution(* org.springframework.security.access.annotation.BusinessService.someOther(String)))' " +
                 "               access='ROLE_USER'/>" +
-                "</global-method-security>" + ConfigTestUtils.AUTH_PROVIDER_XML
+                "</global-method-security>" + AUTH_PROVIDER_XML
         );
         target = (BusinessService) appContext.getBean("target");
         // String method should not be protected
@@ -283,6 +286,20 @@ public class GlobalMethodSecurityBeanDefinitionParserTests {
                 AUTH_PROVIDER_XML);
     }
 
+    // SEC-1450
+    @Test(expected=AuthenticationException.class)
+    @SuppressWarnings("unchecked")
+    public void genericsAreMatchedByProtectPointcut() throws Exception {
+        setContext(
+                "<b:bean id='target' class='org.springframework.security.config.method.GlobalMethodSecurityBeanDefinitionParserTests$ConcreteFoo'/>" +
+                "<global-method-security>" +
+                "   <protect-pointcut expression='execution(* org..*Foo.foo(..))' access='ROLE_USER'/>" +
+                "</global-method-security>" + AUTH_PROVIDER_XML
+        );
+        Foo foo = (Foo) appContext.getBean("target");
+        foo.foo(new SecurityConfig("A"));
+    }
+
     @Test
     public void runAsManagerIsSetCorrectly() throws Exception {
         StaticApplicationContext parent = new StaticApplicationContext();
@@ -305,6 +322,14 @@ public class GlobalMethodSecurityBeanDefinitionParserTests {
     private void setContext(String context, ApplicationContext parent) {
         appContext = new InMemoryXmlApplicationContext(context, parent);
     }
+
+    interface Foo<T extends ConfigAttribute> {
+        void foo(T action);
+    }
+
+    public static class ConcreteFoo implements Foo<SecurityConfig> {
+        public void foo(SecurityConfig action) {
+        }
+    }
+
 }
-
-
diff --git a/core/src/main/java/org/springframework/security/access/method/AbstractFallbackMethodSecurityMetadataSource.java b/core/src/main/java/org/springframework/security/access/method/AbstractFallbackMethodSecurityMetadataSource.java
index af21e87996..343faeaac2 100644
--- a/core/src/main/java/org/springframework/security/access/method/AbstractFallbackMethodSecurityMetadataSource.java
+++ b/core/src/main/java/org/springframework/security/access/method/AbstractFallbackMethodSecurityMetadataSource.java
@@ -3,8 +3,8 @@ package org.springframework.security.access.method;
 import java.lang.reflect.Method;
 import java.util.Collection;
 
+import org.springframework.aop.support.AopUtils;
 import org.springframework.security.access.ConfigAttribute;
-import org.springframework.util.ClassUtils;
 
 /**
  * Abstract implementation of {@link MethodSecurityMetadataSource} that supports both Spring AOP and AspectJ and
@@ -29,7 +29,7 @@ public abstract class AbstractFallbackMethodSecurityMetadataSource extends Abstr
     public Collection<ConfigAttribute> getAttributes(Method method, Class<?> targetClass) {
         // The method may be on an interface, but we need attributes from the target class.
         // If the target class is null, the method will be unchanged.
-        Method specificMethod = ClassUtils.getMostSpecificMethod(method, targetClass);
+        Method specificMethod = AopUtils.getMostSpecificMethod(method, targetClass);
         // First try is the method in the target class.
         Collection<ConfigAttribute> attr = findAttributes(specificMethod, targetClass);
         if (attr != null) {