@Secured annotation on a class does not apply to parent class methods

Question

I have an abstract class (the parent class) with some shared @RequestMapping methods and there are some @Controller classes implementing it (the sub-classes).

I annotated the sub-classes with @Secured at the class level, but the parent class methods are not protected by this. (I.e. the AOP interceptor only considers the methods on the sub-classes, not the parent class).

Unfortunately, the sub-classes each need to be protected by a different role, so it will be impossible to annotate the parent class with a common @Secured restriction. It is possible to override all methods in the parent class so they are protected, but I want to avoid this ugly workaround.

Thus I am wondering is there anything I can override (e.g. the interceptor, advice or the meta data provider so that any method in the class hierarchy will observe the @Secured annotation on the target class)?

Additional info:

It seems the annotation resolution is implemented in org.springframework.security.access.method.AbstractFallbackMethodSecurityMetadataSource.getAttributes(Method, Class<?>) and indeed it only looked at the declaring class of the method (in my case, the parent class). However, I am not too familiar with proxy programming, so any advice on how to safely implement the changes I want are welcome.

Answer 1

It seems you can simply override SecuredAnnotationSecurityMetadataSource with something like

@Override
public Collection<ConfigAttribute> getAttributes(Method method, Class<?> targetClass) {
    Collection<ConfigAttribute> out = super.getAttributes(method, targetClass);

    if (out == null || out.isEmpty()) {
        out = findAttributes(targetClass);
        if (out == null) out = Collections.emptyList();
    }

    return out;
}