Fallback to Object When Determining Overridden Methods

jzheaux · jzheaux · commit e5694ac7b5e4 · 2025-09-15T09:31:50.000-06:00
Closes gh-17898
diff --git a/core/src/main/java/org/springframework/security/core/annotation/UniqueSecurityAnnotationScanner.java b/core/src/main/java/org/springframework/security/core/annotation/UniqueSecurityAnnotationScanner.java
@@ -252,7 +252,7 @@ private static boolean hasSameGenericTypeParameters(Method rootMethod, Method ca
 		}
 		for (int i = 0; i < rootParameterTypes.length; i++) {
 			Class<?> resolvedParameterType = ResolvableType.forMethodParameter(candidateMethod, i, sourceDeclaringClass)
-				.resolve();
+				.toClass();
 			if (rootParameterTypes[i] != resolvedParameterType) {
 				return false;
 			}
diff --git a/core/src/test/java/org/springframework/security/core/annotation/UniqueSecurityAnnotationScannerTests.java b/core/src/test/java/org/springframework/security/core/annotation/UniqueSecurityAnnotationScannerTests.java
@@ -22,6 +22,7 @@
 
 import org.springframework.core.annotation.AnnotationConfigurationException;
 import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.util.ClassUtils;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
@@ -275,6 +276,14 @@ void scanWhenAnnotationOnParameterizedMethodThenLocates() throws Exception {
 		assertThat(pre).isNotNull();
 	}
 
+	// gh-17898
+	@Test
+	void scanWhenAnnotationOnParameterizedUndeclaredMethodAndThenLocates() throws Exception {
+		Method method = ClassUtils.getMethod(GenericInterfaceImpl.class, "processOneAndTwo", Long.class, Object.class);
+		PreAuthorize pre = this.scanner.scan(method, method.getDeclaringClass());
+		assertThat(pre).isNotNull();
+	}
+
 	@PreAuthorize("one")
 	private interface AnnotationOnInterface {
 
@@ -637,4 +646,27 @@ <S extends Number> S getExtByClass(Class<S> clazz, Long l) {
 
 	}
 
+	interface GenericInterface<A, B> {
+
+		@PreAuthorize("hasAuthority('thirtythree')")
+		void processOneAndTwo(A value1, B value2);
+
+	}
+
+	abstract static class GenericAbstractSuperclass<C> implements GenericInterface<Long, C> {
+
+		@Override
+		public void processOneAndTwo(Long value1, C value2) {
+		}
+
+	}
+
+	static class GenericInterfaceImpl extends GenericAbstractSuperclass<String> {
+
+		// The compiler does not require us to declare a concrete
+		// processOneAndTwo(Long, String) method, and we intentionally
+		// do not declare one here.
+
+	}
+
 }

Original file line number	Diff line number	Diff line change
`@@ -252,7 +252,7 @@ private static boolean hasSameGenericTypeParameters(Method rootMethod, Method ca`
`252`	`252`	`}`
`253`	`253`	`for (int i = 0; i < rootParameterTypes.length; i++) {`
`254`	`254`	`Class<?> resolvedParameterType = ResolvableType.forMethodParameter(candidateMethod, i, sourceDeclaringClass)`
`255`		`- .resolve();`
	`255`	`+ .toClass();`
`256`	`256`	`if (rootParameterTypes[i] != resolvedParameterType) {`
`257`	`257`	`return false;`
`258`	`258`	`}`