Fallback to Object When Determining Overridden Methods

jzheaux · jzheaux · commit f8272a884494 · 2025-09-15T09:16:50.000-06:00
Closes gh-17898
diff --git a/core/src/main/java/org/springframework/security/core/annotation/UniqueSecurityAnnotationScanner.java b/core/src/main/java/org/springframework/security/core/annotation/UniqueSecurityAnnotationScanner.java
@@ -308,7 +308,7 @@ private static boolean hasSameGenericTypeParameters(Method rootMethod, Method ca
 		}
 		for (int i = 0; i < rootParameterTypes.length; i++) {
 			Class<?> resolvedParameterType = ResolvableType.forMethodParameter(candidateMethod, i, sourceDeclaringClass)
-				.resolve();
+				.toClass();
 			if (rootParameterTypes[i] != resolvedParameterType) {
 				return false;
 			}
diff --git a/core/src/test/java/org/springframework/security/core/annotation/UniqueSecurityAnnotationScannerTests.java b/core/src/test/java/org/springframework/security/core/annotation/UniqueSecurityAnnotationScannerTests.java
@@ -28,6 +28,7 @@
 
 import org.springframework.core.annotation.AnnotationConfigurationException;
 import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.util.ClassUtils;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
@@ -326,6 +327,14 @@ void scanParameterAnnotationWhenPresentInParentAndInterfaceThenException() throw
 			.isThrownBy(() -> this.parameterScanner.scan(parameter));
 	}
 
+	// gh-17898
+	@Test
+	void scanWhenAnnotationOnParameterizedUndeclaredMethodAndThenLocates() throws Exception {
+		Method method = ClassUtils.getMethod(GenericInterfaceImpl.class, "processOneAndTwo", Long.class, Object.class);
+		PreAuthorize pre = this.scanner.scan(method, method.getDeclaringClass());
+		assertThat(pre).isNotNull();
+	}
+
 	interface UserService {
 
 		void add(@CustomParameterAnnotation("one") String user);
@@ -764,4 +773,27 @@ <S extends Number> S getExtByClass(Class<S> clazz, Long l) {
 
 	}
 
+	interface GenericInterface<A, B> {
+
+		@PreAuthorize("hasAuthority('thirtythree')")
+		void processOneAndTwo(A value1, B value2);
+
+	}
+
+	abstract static class GenericAbstractSuperclass<C> implements GenericInterface<Long, C> {
+
+		@Override
+		public void processOneAndTwo(Long value1, C value2) {
+		}
+
+	}
+
+	static class GenericInterfaceImpl extends GenericAbstractSuperclass<String> {
+
+		// The compiler does not require us to declare a concrete
+		// processOneAndTwo(Long, String) method, and we intentionally
+		// do not declare one here.
+
+	}
+
 }

Original file line number	Diff line number	Diff line change
`@@ -308,7 +308,7 @@ private static boolean hasSameGenericTypeParameters(Method rootMethod, Method ca`
`308`	`308`	`}`
`309`	`309`	`for (int i = 0; i < rootParameterTypes.length; i++) {`
`310`	`310`	`Class<?> resolvedParameterType = ResolvableType.forMethodParameter(candidateMethod, i, sourceDeclaringClass)`
`311`		`- .resolve();`
	`311`	`+ .toClass();`
`312`	`312`	`if (rootParameterTypes[i] != resolvedParameterType) {`
`313`	`313`	`return false;`
`314`	`314`	`}`