Spring AOP Bean注入漏洞?

前端之家收集整理的这篇文章主要介绍了Spring AOP Bean注入漏洞?前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。

我在这里检查了测试项目:https://github.com/loesak/spring-aop-injection-bug

给出以下pom.xml:

和Spring配置:

package com.loesoft.spring.aop.injection.bug;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.AnnotationConfigApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.retry.annotation.EnableRetry;
import org.springframework.retry.annotation.Retryable;

@Configuration
@EnableRetry
public class Proof {

    public static void main(String... args) {
        final AnnotationConfigApplicationContext context = new AnnotationConfigApplicationContext(Proof.class);
        context.registerShutdownHook();
    }

    @Bean
    public BeanThing beanThing() {
        return new BeanThing();
    }

    @Bean
    @Autowired
    public BeanNeedy beanNeedy(BeanThing beanThing) {
        return new BeanNeedy(beanThing);
    }

    public static interface BeanInterface {
        public void doSomething();
    }

    public static class BeanThing implements BeanInterface {

        @Retryable
        public void doSomething() {
            System.out.println("BeanNeedingDependencies doing something");
        }

    }

    public static class BeanNeedy {

        private final BeanThing beanThing;

        public BeanNeedy(BeanThing beanThing) {
            this.beanThing = beanThing;
        }
    }

}

Spring抛出以下错误:

Exception in thread "main" org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'beanNeedy' defined in com.loesoft.spring.aop.injection.bug.Proof: Unsatisfied dependency expressed through constructor argument with index 0 of type [com.loesoft.spring.aop.injection.bug.Proof$BeanThing]: : No qualifying bean of type [com.loesoft.spring.aop.injection.bug.Proof$BeanThing] found for dependency: expected at least 1 bean which qualifies as autowire candidate for this dependency. Dependency annotations: {}; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type [com.loesoft.spring.aop.injection.bug.Proof$BeanThing] found for dependency: expected at least 1 bean which qualifies as autowire candidate for this dependency. Dependency annotations: {}
    at org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:749)
    at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:464)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1123)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1018)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:510)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:482)
    at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:305)
    at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
    at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:301)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:196)
    at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:772)
    at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:834)
    at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:537)
    at org.springframework.context.annotation.AnnotationConfigApplicationContext.

我已经跟踪了这个事实,即bean“beanThing”最终成为JdkDynamicAopProxy,因为它有接口,当在创建bean“beanNeedy”时尝试查找匹配的bean作为自动连接的候选者时,代码最终在ResolvableType中# isInstance不检查JDK代理类型的基础类型,也没有找到类型为“BeanThing”的创建bean“beanThing”.

我可以通过两种方式解决这个问题.第一种方法是将@EnableRetry注释字段“proxyTargetClass”设置为“true”,或者删除类BeanThing上的接口.

这是一个错误还是我错过了一些我不知道的关于Spring AOP的信息?总的来说,这对我来说似乎不对.我觉得Spring应该能够确定Proxy bean的底层类型,除非有一些技术原因,为什么它不能.如果有技术原因导致无法确定JDK代理的基础类型,那么Spring可能会有一些额外的检查来帮助开发人员弄清楚发生了什么.

请记住,这与Spring Retry(因此没有标记)无关,因为我已经能够使用其他注释来重现此问题,这些注释需要使用AOP代理包装底层bean.

最佳答案
从JDK代理javadocs

A dynamic proxy class is a class that implements a list of interfaces
specified at runtime when the class is created

这意味着代理只能实现bean的接口,但不是它的实例.你不能用代理替换真正的类,因为你没有类的方法和变量,只有代理的方法.

I can get around this in two ways. The first by setting the
@EnableRetry annotation field “proxyTargetClass” to “true” or by
removing the interface on the class BeanThing.

如果将proxyTargetClass设置为true而不是JDK代理,Spring将创建一个CGLIB类(当类没有接口时也会发生这种情况,因为您无法在没有接口的情况下创建JDK代理).
使用CGLIB,bean的子类以dinamically方式创建,用于拦截方法调用.

CGLIB代理是BeanThing,因为它继承自它. JDK代理不是BeanThing,因为它只是实现其接口.

还有第三种方法可以解决您的问题:不是注入BeanThing类,而是注入它实现的接口(BeanInterface).

@Bean
public BeanInterface beanThing() {
    return new BeanThing();
}

// .....

public static class BeanNeedy {

    private final BeanInterface beanThing;

    public BeanNeedy(BeanInterface beanThing) {
        this.beanThing = beanThing;
    }
}

组态

为了启用CGLIB,您可以使用@EnableAspectJAutoProxy批注,并在其中一个配置类中将proxyTargetClass设置为true.

@Configuration
@EnableAspectJAutoProxy(proxyTargetClass = true)
public class OneOfYourGlobalConfigConfigs {

}

猜你在找的Spring相关文章