Account for Super-super-interface Inheritance

jzheaux · jzheaux · commit be11812fe4da · 2023-12-09T11:41:02.000-07:00
Closes gh-13625
diff --git a/core/src/main/java/org/springframework/security/authorization/method/AuthorizationAnnotationUtils.java b/core/src/main/java/org/springframework/security/authorization/method/AuthorizationAnnotationUtils.java
@@ -95,17 +95,28 @@ static <A extends Annotation> A findUniqueAnnotation(Class<?> type, Class<A> ann
 
 	private static <A extends Annotation> boolean hasDuplicate(MergedAnnotations mergedAnnotations,
 			Class<A> annotationType) {
-		boolean alreadyFound = false;
+		MergedAnnotation<Annotation> alreadyFound = null;
 		for (MergedAnnotation<Annotation> mergedAnnotation : mergedAnnotations) {
 			if (isSynthetic(mergedAnnotation.getSource())) {
 				continue;
 			}
 
-			if (mergedAnnotation.getType() == annotationType) {
-				if (alreadyFound) {
-					return true;
-				}
-				alreadyFound = true;
+			if (mergedAnnotation.getType() != annotationType) {
+				continue;
+			}
+
+			if (alreadyFound == null) {
+				alreadyFound = mergedAnnotation;
+				continue;
+			}
+
+			// https://github.com/spring-projects/spring-framework/issues/31803
+			if (!mergedAnnotation.getSource().equals(alreadyFound.getSource())) {
+				return true;
+			}
+
+			if (mergedAnnotation.getRoot().getType() != alreadyFound.getRoot().getType()) {
+				return true;
 			}
 		}
 		return false;
diff --git a/core/src/test/java/org/springframework/security/authorization/method/AuthorizationAnnotationUtilsTests.java b/core/src/test/java/org/springframework/security/authorization/method/AuthorizationAnnotationUtilsTests.java
@@ -41,6 +41,13 @@ void annotationsOnSyntheticMethodsShouldNotTriggerAnnotationConfigurationExcepti
 			.isThrownBy(() -> AuthorizationAnnotationUtils.findUniqueAnnotation(method, PreAuthorize.class));
 	}
 
+	@Test // gh-13625
+	void annotationsFromSuperSuperInterfaceShouldNotTriggerAnnotationConfigurationException() throws Exception {
+		Method method = HelloImpl.class.getMethod("sayHello");
+		assertThatNoException()
+			.isThrownBy(() -> AuthorizationAnnotationUtils.findUniqueAnnotation(method, PreAuthorize.class));
+	}
+
 	private interface BaseRepository<T> {
 
 		Iterable<T> findAll();
@@ -55,4 +62,24 @@ private interface StringRepository extends BaseRepository<String> {
 
 	}
 
+	private interface Hello {
+
+		@PreAuthorize("hasRole('someRole')")
+		String sayHello();
+
+	}
+
+	private interface SayHello extends Hello {
+
+	}
+
+	private static class HelloImpl implements SayHello {
+
+		@Override
+		public String sayHello() {
+			return "hello";
+		}
+
+	}
+
 }
