Add validator for Spring ACL variable references
massfords opened this issue · comments
Mark Ford commented
Spring ACL functions with variable references to parameters must match the parameter name exactly. There are two validations to be added here:
- validate that a PreAuthorize annotation on a non-abstract method with a hasPermission() function with a variable reference resolves to the declared parameters.
- validate that a variable reference in a PreAuthorize annotation on an abstract method matches the param name on the concrete methods.
Consider the scenario:
- write a service interface with PreAuthorize annotations that use Spring ACL
- implement the service interface with a class
- default behavior of most IDE's will be to generate the method w/ matching params which is good
- at some point in the future, you refactor the name of the params on the interface or the implementation. After all, they're just names so who cares?
- at runtime, the Spring ACL code won't be able to resolve the variable reference in the expression to the newly renamed param
I've run into this problem 4 or 5 times but not recently since I'm vigilant about it but it smacks of effort and barriers towards refactoring should be removed.