We’re using Spring Security to control access to some services. It is working fine for 95% of the classes. However, there are two classes where the security annotations are being ignored completely. The security interceptor is not in the list of interceptors for those two classes when the services are called at runtime.
As far as I can tell, there are no differences between these classes and others that work. The basic structure is the same, other annotations used are the same. Scanning the classpath for the annotations picks up the classes. Other classes in the same package work fine.
I’m not very experienced with Spring Security, so I was hoping that someone could point me in the direction of something that I may have overlooked.
If anyone else is interested, what was happening is that we had a circular injection reference between two classes. Class A had a reference to Class B which had a reference to Class A.
When Spring attempted to create the bean for class A, it encountered the circular reference and created an early bean reference for class A which was then proxied. However, the step to add the method pointcuts occurs after all this, so the class got proxied without the security interceptor.