AbstractAdvisorAutoProxyCreator should consistently detect package-visible methods [SPR-14174]

[spring-projects-issues]

Rob Winch opened SPR-14174 and commented

It would be nice if Spring's AbstractAdvisorAutoProxyCreator would support package scope methods. This has become increasingly important for Boot style applications which often use default methods. For example, the controller below is not secured due to the fact that package scope method is used:

@RestController
public class AdminController {

	@PreAuthorize("hasRole('ADMIN')")
	@RequestMapping("/admin/")
	String index() {
		return "Admin";
	}
}

Right now this appears to be blocked by the fact that AopUtils.canApply only checks public methods since it uses methods = clazz.getMethods()

---

Referenced from: commits 9991122

[spring-projects-issues]

Juergen Hoeller commented

Indeed, there is an inconsistency in the canApply matching for PointcutAdvisors: We need to detect matches with package-visible methods at that level, since package-visible methods are actually being matched later on within an actual proxy. For example, if your controller example above has any public method with the same pointcut, the package-visible method will get intercepted; it will just be ignored if it is the only match for the pointcut on the given class, as far as my tests go. This clearly has to get aligned, and I've just done so through iterating ClassUtils.getAllDeclaredMethods in AopUtils.canApply.

As side fixes, we're also ignoring Pointcut beans for auto-proxying now (like we do for Advice and Advisor beans already), and we're shortcutting canApply checks if we're dealing with MethodMatcher.TRUE (since there is no need to retrieve methods for iteration purposes in that case).

[spring-projects-issues]

Rob Winch commented

Thanks for the fast turnaround on this! I can confirm that the changes have resolved the problem I was experiencing. Thanks again!