Using Spring ACL with @PreAuthorize annotations on Interfaces which use Generics does not seem to work.
Eg; I have an interface using generics;
public interface MyService<T> {
@PreAuthorize("hasPermission(#objectToProtect, 'WRITE')")
void doStuff(T objectToProtect, UserIdentity... user);
}
And an implementation;
public class MyServiceImpl implements MyService<MyObject> {
@Override
public synchronized void doStuff(MyObject objectToProtect, UserIdentity... userIdentity) {
// Do some stuff here... THis should be protected, the authenticated user should have write permissions.
}
}
I can see that PrePostAnnotationSecurityMetadataSource is picking up the annotations on the implementation, however it looks like its getting lost in the AOP passing further up and its never used when the acutal method is called. It works if I add the annotation to the concrete implementation (i.e. on the doStuff method in MyServiceImpl).
If I dont use generics in my interface and use something like Object it seems to work fine too. So is this a bug in Spring/Spring Security ACL or can we not use generics and expect them to be proxied.
My Spring config for the annotations looks like this;
<sec:global-method-security pre-post-annotations="enabled" proxy-target-class="true">
<sec:expression-handler ref="expressionHandler" />
</sec:global-method-security>
I'm using the latest GA version of Spring (3.2.3) and Spring Security (3.1.4)
