I have an abstract class (the parent class) with some shared @RequestMapping methods and there are some @Controller classes implementing it (the sub-classes).
I annotated the sub-classes with @Secured at the class level, but the parent class methods are not protected by this. (I.e. the AOP interceptor only considers the methods on the sub-classes, not the parent class).
Unfortunately, the sub-classes each need to be protected by a different role, so it will be impossible to annotate the parent class with a common @Secured restriction. It is possible to override all methods in the parent class so they are protected, but I want to avoid this ugly workaround.
Thus I am wondering is there anything I can override (e.g. the interceptor, advice or the meta data provider so that any method in the class hierarchy will observe the @Secured annotation on the target class)?
Additional info:
It seems the annotation resolution is implemented in
org.springframework.security.access.method.AbstractFallbackMethodSecurityMetadataSource.getAttributes(Method, Class<?>) and indeed it only looked at the declaring class of the method (in my case, the parent class). However, I am not too familiar with proxy programming, so any advice on how to safely implement the changes I want are welcome.
It seems you can simply override
SecuredAnnotationSecurityMetadataSourcewith something like