Skip to content

SEC-2974: Multiple pre post annotations fail silently #3183

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
spring-projects-issues opened this issue May 12, 2015 · 1 comment
Closed

SEC-2974: Multiple pre post annotations fail silently #3183

spring-projects-issues opened this issue May 12, 2015 · 1 comment
Assignees
@jzheaux
Labels
in: core An issue in spring-security-core type: enhancement A general enhancement type: jira An issue that was migrated from JIRA
Milestone
5.6.0-M1

Comments

@spring-projects-issues
Copy link

Juha Komulainen (Migrated from SEC-2974) said:

While @PreAuthorize and other pre post annotations were probably not designed to be used as meta-annotations, they are detected if used as such. This allows one to place multiple @PreAuthorize annotations on a single method.

@Retention(RetentionPolicy.RUNTIME)
@PreAuthorize("isAuthenticated()")
public @interface RequireAuthenticated { }

@Retention(RetentionPolicy.RUNTIME)
@PreAuthorize("hasRole('FOO')")
public @interface RequireFooRole { }

@RequireAuthenticated
@RequireFooRole
public void authenticatedMethod() { }

PrePostAnnotationSecurityMetadataSource.findAnnotation calls AnnotationUtils.findAnnotation to look up the @PreAuthorize -annotation. That method will just pick the first matching annotation and silently ignore the rest, producing PreInvocationAttribute which only contains the expression of one annotation (technically it's undefined which annotation gets picked, but in practice it seems to be the first one).

Since the method declaration looks sensible, but the other annotation is ignored, this is a probable vulnerability. Would it be possible to either generalize PrePostAnnotationSecurityMetadataSource to accept multiple annotations and combine them into one rule or to be stricter about the defined annotations and fail-fast if more than one annotation is found?

See SPR-13015 for related discussion.
@spring-projects-issues spring-projects-issues added in: core An issue in spring-security-core Open type: bug A general bug type: jira An issue that was migrated from JIRA labels Feb 5, 2016
@rwinch rwinch removed the Open label May 3, 2019
@vincent-simpson vincent-simpson mentioned this issue Feb 12, 2021
Closed
@jzheaux jzheaux self-assigned this May 18, 2021
@jzheaux jzheaux added type: enhancement A general enhancement and removed type: bug A general bug labels May 18, 2021
@jzheaux jzheaux added this to the 5.6.0-M1 milestone May 18, 2021
@jzheaux
Copy link
Contributor

jzheaux commented May 18, 2021

Closing in favor of #9630

@jzheaux jzheaux closed this as completed May 18, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: core An issue in spring-security-core type: enhancement A general enhancement type: jira An issue that was migrated from JIRA
Projects
None yet
Milestone
5.6.0-M1
Development

No branches or pull requests
3 participants
@rwinch @jzheaux @spring-projects-issues