Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreApplications using @AuthorizeReturnObject
or the Spring Security produced AuthorizationAdvisorProxyFactory
@Bean
to wrap objects may not have all security advice applied.
When method security advice is not applied, it means that annotations like @PreFilter
and @PreAuthorize
may take no affect on these wrapped objects.
Note that this does not impact any @Bean
s that use Spring Security's method security advice.
For this to impact an application, all of the following need to be true:
AnnotationAwareAspectJAutoProxyCreator
must be the auto proxy creator being used to create proxies; this can either be done declaratively by your application or enabled via @EnableAspectJAutoProxy
or enabled by Spring Boot by virtue of using spring-aspects
or a starter that uses spring-aspects
FactoryBean
present in the application context@EnableMethodSecurity
@AuthorizeReturnObject
annotation or the AuthorizationAdvisorProxyFactory
@Bean
produced by Spring Security@PreFilter
, @PostFilter
, @PreAuthorize
, or @PostAuthorize
on those wrapped objectsIf all of these are true, then some of the method security advice may not be applied to the objects wrapped by @AuthorizeReturnObject
or AuthorizationAdvisorProxyFactory
.
Applications where any of the following are true are not impacted:
@PreFilter
, @PostFilter
, @PreAuthorize
, or @PostAuthorize
on any wrapped objects@EnableMethodSecurity
to enable method security@AuthorizeReturnObject
or the AuthorizationAdvisorProxyFactory
@Bean
produced by Spring SecurityFactoryBean
sAnnotationAwareAspectJAutoProxyCreator
for auto-proxy creationThis affects the following Spring Security versions:
Affected version(s) | Fix version | Availability |
---|---|---|
6.3.x | 6.3.2 | OSS |
No other mitigation steps are necessary.
This issue was responsibly reported by Josh Cummings.
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy