Merge branch '6.1.x' into 6.2.x

Closes gh-14267
2 years ago · 6e636e6abb
2 changed files with 44 additions and 6 deletions
--- a/core/src/main/java/org/springframework/security/authorization/method/AuthorizationAnnotationUtils.java
+++ b/core/src/main/java/org/springframework/security/authorization/method/AuthorizationAnnotationUtils.java
@ -95,17 +95,28 @@ final class AuthorizationAnnotationUtils {
				@@ -95,17 +95,28 @@ final class AuthorizationAnnotationUtils {

 	private static <A extends Annotation> boolean hasDuplicate(MergedAnnotations mergedAnnotations,
 			Class<A> annotationType) {
-		boolean alreadyFound = false;
+		MergedAnnotation<Annotation> alreadyFound = null;
 		for (MergedAnnotation<Annotation> mergedAnnotation : mergedAnnotations) {
 			if (isSynthetic(mergedAnnotation.getSource())) {
 				continue;
 			}

-			if (mergedAnnotation.getType() == annotationType) {
-				if (alreadyFound) {
-					return true;
-				}
-				alreadyFound = true;
+			if (mergedAnnotation.getType() != annotationType) {
+				continue;
+			}
+
+			if (alreadyFound == null) {
+				alreadyFound = mergedAnnotation;
+				continue;
+			}
+
+			// https://github.com/spring-projects/spring-framework/issues/31803
+			if (!mergedAnnotation.getSource().equals(alreadyFound.getSource())) {
+				return true;
+			}
+
+			if (mergedAnnotation.getRoot().getType() != alreadyFound.getRoot().getType()) {
+				return true;
 			}
 		}
 		return false;
--- a/core/src/test/java/org/springframework/security/authorization/method/AuthorizationAnnotationUtilsTests.java
+++ b/core/src/test/java/org/springframework/security/authorization/method/AuthorizationAnnotationUtilsTests.java
@ -41,6 +41,13 @@ class AuthorizationAnnotationUtilsTests {
				@@ -41,6 +41,13 @@ class AuthorizationAnnotationUtilsTests {
 			.isThrownBy(() -> AuthorizationAnnotationUtils.findUniqueAnnotation(method, PreAuthorize.class));
 	}

+	@Test // gh-13625
+	void annotationsFromSuperSuperInterfaceShouldNotTriggerAnnotationConfigurationException() throws Exception {
+		Method method = HelloImpl.class.getMethod("sayHello");
+		assertThatNoException()
+			.isThrownBy(() -> AuthorizationAnnotationUtils.findUniqueAnnotation(method, PreAuthorize.class));
+	}
+
 	private interface BaseRepository<T> {

 		Iterable<T> findAll();
@ -55,4 +62,24 @@ class AuthorizationAnnotationUtilsTests {
				@@ -55,4 +62,24 @@ class AuthorizationAnnotationUtilsTests {

 	}

+	private interface Hello {
+
+		@PreAuthorize("hasRole('someRole')")
+		String sayHello();
+
+	}
+
+	private interface SayHello extends Hello {
+
+	}
+
+	private static class HelloImpl implements SayHello {
+
+		@Override
+		public String sayHello() {
+			return "hello";
+		}
+
+	}
+
 }