From ab248b258306e877ed833e574b688307c967182d Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Fri, 30 Jul 2010 14:36:41 +0100 Subject: [PATCH] SEC-1454: Added use of Spring's new AopProxyUtils.ultimateTargetClass() method when resolving the target class in MethodSecurityEvaluationContext. --- .../method/MethodSecurityEvaluationContext.java | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/core/src/main/java/org/springframework/security/access/expression/method/MethodSecurityEvaluationContext.java b/core/src/main/java/org/springframework/security/access/expression/method/MethodSecurityEvaluationContext.java index 4eb1d18ba7..a75256df62 100644 --- a/core/src/main/java/org/springframework/security/access/expression/method/MethodSecurityEvaluationContext.java +++ b/core/src/main/java/org/springframework/security/access/expression/method/MethodSecurityEvaluationContext.java @@ -5,6 +5,7 @@ import java.lang.reflect.Method; import org.aopalliance.intercept.MethodInvocation; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.springframework.aop.framework.AopProxyUtils; import org.springframework.aop.support.AopUtils; import org.springframework.beans.factory.NoSuchBeanDefinitionException; import org.springframework.context.ApplicationContext; @@ -88,7 +89,15 @@ class MethodSecurityEvaluationContext extends StandardEvaluationContext { } Object targetObject = mi.getThis(); - Method method = AopUtils.getMostSpecificMethod(mi.getMethod(), targetObject.getClass()); + // SEC-1454 + Class targetClass = AopProxyUtils.ultimateTargetClass(targetObject); + + if (targetClass == null) { + // TODO: Spring should do this, but there's a bug in ultimateTargetClass() which returns null + targetClass = targetObject.getClass(); + } + + Method method = AopUtils.getMostSpecificMethod(mi.getMethod(), targetClass); String[] paramNames = parameterNameDiscoverer.getParameterNames(method); if (paramNames == null) {