Skip to content

Prevent reflective invocation of private methods in web dispatcher #35352

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Prevent reflective invocation of private methods in web dispatcher #35352

wants to merge 4 commits into from
+99 −3

Conversation

YongGoose
Copy link

fixes #30938

@YongGoose
Prevent reflective invocation of private methods in web dispatcher
2eddd3b 
Signed-off-by: yongjunhong <yongjunh@apache.org>
@YongGoose YongGoose mentioned this pull request Aug 20, 2025
Closed
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged or decided on label Aug 20, 2025
rstoyanchev
rstoyanchev requested changes Oct 1, 2025
View reviewed changes
Copy link
Contributor

@rstoyanchev rstoyanchev left a comment
edited by sbrannen
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couldn't this be checked in RequestMappingHandlerMapping when request mappings are being initialized?

It would avoid repeating that on every call.

@rstoyanchev rstoyanchev added the in: web Issues in web modules (web, webmvc, webflux, websocket) label Oct 1, 2025
sbrannen
sbrannen requested changes Oct 3, 2025
View reviewed changes
Copy link
Member

@sbrannen sbrannen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I requested a few changes.

Please also take Rossen's comment into account.

spring-web/src/main/java/org/springframework/web/method/support/InvocableHandlerMethod.java Outdated

if (AopUtils.isCglibProxy(bean) && Modifier.isPrivate(method.getModifiers())) {
throw new IllegalStateException(
"Cannot invoke private method [" + method.getName() + "] on a CGLIB proxy. " +
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would probably be good to include context about the bean in the exception message as well.

spring-web/src/main/java/org/springframework/web/method/support/InvocableHandlerMethod.java Outdated
if (AopUtils.isCglibProxy(bean) && Modifier.isPrivate(method.getModifiers())) {
throw new IllegalStateException(
"Cannot invoke private method [" + method.getName() + "] on a CGLIB proxy. " +
"Handler methods on proxied components must be public or protected. " +
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's not completely true. It's possible for a package-private method to be proxied.

As stated in the reference documentation:

  • private methods cannot be advised, because they cannot be overridden.
  • Methods that are not visible – for example, package-private methods in a parent class from a different package – cannot be advised because they are effectively private.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done in 72ff98a !

@sbrannen sbrannen added the status: waiting-for-feedback We need additional information before we can continue label Oct 3, 2025
@YongGoose
Copy link
Author

I'm currently traveling, so I should be able to work on it around Wednesday or Thursday this week.
@rstoyanchev @sbrannen Thank you both so much for the great reviews! 🙇🏻‍♂️

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Oct 6, 2025
@YongGoose
Apply code review
72ff98a 
Signed-off-by: yongjunhong <yongjunh@apache.org>
@YongGoose
Revert changes
549acc0 
Signed-off-by: yongjunhong <yongjunh@apache.org>
@YongGoose
Create test code
6819d95 
Signed-off-by: yongjunhong <yongjunh@apache.org>
@YongGoose
Copy link
Author

Couldn't this be checked in RequestMappingHandlerMapping when request mappings are being initialized?

It would avoid repeating that on every call.

Please take a look :)

@YongGoose
Copy link
Author

@sbrannen @rstoyanchev

If you have some time, I’d really appreciate it if you could take a look at this PR as well. 🙇🏻‍♂️🙇🏻‍♂️

It’s similar to the this PR, focusing on the access modifiers and proxies!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sbrannen sbrannen Awaiting requested review from sbrannen

@rstoyanchev rstoyanchev Awaiting requested review from rstoyanchev

Assignees
No one assigned
Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) status: feedback-provided Feedback has been provided status: waiting-for-triage An issue we've not yet triaged or decided on
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Invoking private method on a CGLIB proxy should trigger a dedicated exception
4 participants
@YongGoose @sbrannen @rstoyanchev @spring-projects-issues