Description
Christopher Smith (Migrated from SEC-3081) said:
I have mappings and security annotations defined in an abstract base controller class, then subclass that controller to provide HTML and versioned JSON implementations. Up until now, I've been able to apply @PreAuthorize to an abstract method on the superclass:
@PreAuthorize(AuthorizationExpressions.SUPPORT_ROLE)
@RequestMapping('/{digitizer}')
abstract digitizerDetail(@PathVariable Digitizer digitizer)
and the correct restrictions are applied to the subclass:
@Override
def digitizerDetail(@PathVariable Digitizer digitizer) {
new ModelAndView('digitizers/profile')
}
However, if the superclass is generic (in this case, to facilitate REST API versioning by permitting different DTO classes to be mapped in method parameters), the path mapping works but the security annotation does not:
<R extends ResourceSupport>...
@PreAuthorize(AuthorizationExpressions.SUPPORT_ROLE)
@RequestMapping(value = '/{digitizer}', method = RequestMethod.POST)
abstract modifyDigitizer(@PathVariable Digitizer digitizer, R resource)
@Override
def modifyDigitizer(@PathVariable Digitizer digitizer, @ModelAttribute DigitizerResource updatedDigitizer) {
// this method does not have security restrictions applied
}
I expected the generic override to either succeed or fail in its entirety, but the partial success means that a method can get mapped in appropriately but not secured as intended.