SEC-1450: Replace use of ClassUtils.getMostSpecificMethod() in AbstractFallbackMethodDefinitionSource with AopUtils.getMostSpecificMethod() equivalent.

Ensures protect-pointcut expressions match methods with generic parameters.

config/src/test/java/org/springframework/security/config/method/GlobalMethodSecurityBeanDefinitionParserTests.java

@@ -16,6 +16,8 @@ import org.springframework.context.ApplicationContext;
 import org.springframework.context.support.AbstractXmlApplicationContext;
 import org.springframework.context.support.StaticApplicationContext;
 import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.access.SecurityConfig;
 import org.springframework.security.access.annotation.BusinessService;
 import org.springframework.security.access.intercept.AfterInvocationProviderManager;
 import org.springframework.security.access.intercept.RunAsManagerImpl;
@@ -30,6 +32,7 @@ import org.springframework.security.authentication.UsernamePasswordAuthenticatio
 import org.springframework.security.config.ConfigTestUtils;
 import org.springframework.security.config.PostProcessedMockUserDetailsService;
 import org.springframework.security.config.util.InMemoryXmlApplicationContext;
+import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.UserDetailsService;
@@ -166,7 +169,7 @@ public class GlobalMethodSecurityBeanDefinitionParserTests {
                 "     'execution(* org.springframework.security.access.annotation.BusinessService.*(..)) " +
                 "       and not execution(* org.springframework.security.access.annotation.BusinessService.someOther(String)))' " +
                 "               access='ROLE_USER'/>" +
-                "</global-method-security>" + ConfigTestUtils.AUTH_PROVIDER_XML
+                "</global-method-security>" + AUTH_PROVIDER_XML
         );
         target = (BusinessService) appContext.getBean("target");
         // String method should not be protected
@@ -283,6 +286,20 @@ public class GlobalMethodSecurityBeanDefinitionParserTests {
                 AUTH_PROVIDER_XML);
     }
 
+    // SEC-1450
+    @Test(expected=AuthenticationException.class)
+    @SuppressWarnings("unchecked")
+    public void genericsAreMatchedByProtectPointcut() throws Exception {
+        setContext(
+                "<b:bean id='target' class='org.springframework.security.config.method.GlobalMethodSecurityBeanDefinitionParserTests$ConcreteFoo'/>" +
+                "<global-method-security>" +
+                "   <protect-pointcut expression='execution(* org..*Foo.foo(..))' access='ROLE_USER'/>" +
+                "</global-method-security>" + AUTH_PROVIDER_XML
+        );
+        Foo foo = (Foo) appContext.getBean("target");
+        foo.foo(new SecurityConfig("A"));
+    }
+
     @Test
     public void runAsManagerIsSetCorrectly() throws Exception {
         StaticApplicationContext parent = new StaticApplicationContext();
@@ -305,6 +322,14 @@ public class GlobalMethodSecurityBeanDefinitionParserTests {
     private void setContext(String context, ApplicationContext parent) {
         appContext = new InMemoryXmlApplicationContext(context, parent);
     }
+
+    interface Foo<T extends ConfigAttribute> {
+        void foo(T action);
+    }
+
+    public static class ConcreteFoo implements Foo<SecurityConfig> {
+        public void foo(SecurityConfig action) {
+        }
+    }
+
 }
-
-