Revise contribution

sbrannen · sbrannen · commit 038968442978 · 2025-10-11T19:37:34.000+02:00
See gh-35352
diff --git a/spring-web/src/testFixtures/java/org/springframework/web/testfixture/method/PackagePrivateMethodController.java b/spring-web/src/testFixtures/java/org/springframework/web/testfixture/method/PackagePrivateMethodController.java
@@ -19,19 +19,11 @@
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 
-public class VisibilityTestHandler {
+@Controller
+public class PackagePrivateMethodController {
 
-	@Controller
-	public static class PackagePrivateController {
-		@RequestMapping("/package-private")
-		void packagePrivateMethod() {
-		}
+	@RequestMapping("/package-private")
+	void packagePrivateMethod() {
 	}
 
-	@Controller
-	public static class ProtectedController {
-		@RequestMapping("/protected")
-		protected void protectedMethod() {
-		}
-	}
 }
diff --git a/spring-webflux/src/main/java/org/springframework/web/reactive/result/method/annotation/RequestMappingHandlerMapping.java b/spring-webflux/src/main/java/org/springframework/web/reactive/result/method/annotation/RequestMappingHandlerMapping.java
@@ -161,11 +161,13 @@ protected boolean isHandler(Class<?> beanType) {
 	 * Uses type-level and method-level {@link RequestMapping @RequestMapping}
 	 * and {@link HttpExchange @HttpExchange} annotations to create the
 	 * {@link RequestMappingInfo}.
-	 * <p>For CGLIB proxy classes, additional validation is performed based on method visibility:
+	 * <p>For CGLIB proxy classes, additional validation is performed based on
+	 * method visibility:
 	 * <ul>
-	 * <li>Private methods cannot be overridden and therefore cannot be used as handler methods.</li>
-	 * <li>Package-private methods from different packages are inaccessible and must be
-	 * changed to public or protected.</li>
+	 * <li>Private methods cannot be overridden and therefore cannot be used as
+	 * handler methods.</li>
+	 * <li>Package-private methods from different packages are inaccessible and
+	 * must be changed to public or protected.</li>
 	 * </ul>
 	 * @return the created {@code RequestMappingInfo}, or {@code null} if the method
 	 * does not have a {@code @RequestMapping} or {@code @HttpExchange} annotation
@@ -200,37 +202,38 @@ protected boolean isHandler(Class<?> beanType) {
 		return info;
 	}
 
-	private void validateCglibProxyMethodVisibility(Method method, Class<?> handlerType) {
-		if (isCglibProxy(handlerType)) {
+	/**
+	 * Validate the method visibility requirements specified in {@link #getMappingForMethod(Method, Class)}.
+	 * @since 7.0
+	 */
+	private static void validateCglibProxyMethodVisibility(Method method, Class<?> handlerType) {
+		if (handlerType.getName().contains(ClassUtils.CGLIB_CLASS_SEPARATOR)) {
 			int modifiers = method.getModifiers();
 
 			if (Modifier.isPrivate(modifiers)) {
-				throw new IllegalStateException(
-						"Private method [" + method.getName() + "] on CGLIB proxy class [" + handlerType.getName() +
-								"] cannot be used as a request handler method because private methods cannot be overridden. " +
-								"Change the method to non-private visibility or use interface-based JDK proxying instead.");
+				throw new IllegalStateException("""
+						Private method [%s] on CGLIB proxy class [%s] cannot be used as a request \
+						handler method, because private methods cannot be overridden. \
+						Change the method to non-private visibility, or use interface-based JDK \
+						proxying instead.""".formatted(method.getName(), handlerType.getName()));
 			}
 
 			if (!Modifier.isPublic(modifiers) && !Modifier.isProtected(modifiers)) {
 				Class<?> declaringClass = method.getDeclaringClass();
-				Package methodPackage = declaringClass.getPackage();
-				Package handlerPackage = handlerType.getPackage();
-
-				if (!Objects.equals(methodPackage, handlerPackage)) {
-					throw new IllegalStateException(
-							"Package-private method [" + method.getName() + "] on CGLIB proxy class [" + declaringClass.getName() +
-									"] from package [" + methodPackage.getName() + "] cannot be advised when used by handler class [" +
-									handlerType.getName() + "] from package [" + handlerPackage.getName() + "] because it is effectively private. " +
-									"Either make the method public/protected or use interface-based JDK proxying instead.");
+				String declaringPackage = declaringClass.getPackage().getName();
+				String handlerPackage = handlerType.getPackage().getName();
+
+				if (!Objects.equals(declaringPackage, handlerPackage)) {
+					throw new IllegalStateException("""
+							Package-private method [%s] declared in class [%s] cannot be advised by \
+							CGLIB-proxied handler class [%s], because it is effectively private. Either \
+							make the method public or protected, or use interface-based JDK proxying instead."""
+								.formatted(method.getName(), declaringClass.getName(), handlerType.getName()));
 				}
 			}
 		}
 	}
 
-	private boolean isCglibProxy(Class<?> beanType) {
-		return beanType.getName().contains(ClassUtils.CGLIB_CLASS_SEPARATOR);
-	}
-
 	private @Nullable RequestMappingInfo createRequestMappingInfo(AnnotatedElement element) {
 
 		List<AnnotationDescriptor> descriptors =
diff --git a/spring-webflux/src/test/java/org/springframework/web/reactive/result/method/annotation/RequestMappingHandlerMappingTests.java b/spring-webflux/src/test/java/org/springframework/web/reactive/result/method/annotation/RequestMappingHandlerMappingTests.java
@@ -53,6 +53,7 @@
 import org.springframework.web.service.annotation.PostExchange;
 import org.springframework.web.service.annotation.PutExchange;
 import org.springframework.web.testfixture.http.server.reactive.MockServerHttpRequest;
+import org.springframework.web.testfixture.method.PackagePrivateMethodController;
 import org.springframework.web.testfixture.server.MockServerWebExchange;
 import org.springframework.web.util.pattern.PathPattern;
 import org.springframework.web.util.pattern.PathPatternParser;
@@ -62,8 +63,6 @@
 import static org.mockito.Mockito.mock;
 import static org.springframework.web.bind.annotation.RequestMethod.POST;
 import static org.springframework.web.reactive.result.method.RequestMappingInfo.paths;
-import static org.springframework.web.testfixture.method.VisibilityTestHandler.PackagePrivateController;
-import static org.springframework.web.testfixture.method.VisibilityTestHandler.ProtectedController;
 
 /**
  * Tests for {@link RequestMappingHandlerMapping}.
@@ -414,25 +413,26 @@ void requestBodyAnnotationFromImplementationOverridesInterface() {
 		assertThat(matchingInfo).isEqualTo(paths(path).methods(POST).consumes(mediaType.toString()).build());
 	}
 
-	@Test
+	@Test  // gh-35352
 	void privateMethodOnCglibProxyShouldThrowException() throws Exception {
 		RequestMappingHandlerMapping mapping = new RequestMappingHandlerMapping();
 
 		Class<?> handlerType = PrivateMethodController.class;
-		Method method = handlerType.getDeclaredMethod("privateMethod");
-
+		String methodName = "privateMethod";
+		Method method = handlerType.getDeclaredMethod(methodName);
 		Class<?> proxyClass = createProxyClass(handlerType);
 
 		assertThatIllegalStateException()
 				.isThrownBy(() -> mapping.getMappingForMethod(method, proxyClass))
-				.withMessageContainingAll(
-						"Private method [privateMethod]",
-						"cannot be used as a request handler method"
-				);
+				.withMessage("""
+						Private method [%s] on CGLIB proxy class [%s] cannot be used as a request \
+						handler method, because private methods cannot be overridden. \
+						Change the method to non-private visibility, or use interface-based JDK \
+						proxying instead.""", methodName, proxyClass.getName());
 	}
 
-	@Test
-	void protectedMethodShouldNotThrowException() throws Exception {
+	@Test  // gh-35352
+	void protectedMethodOnCglibProxyShouldNotThrowException() throws Exception {
 		RequestMappingHandlerMapping mapping = new RequestMappingHandlerMapping();
 
 		Class<?> handlerType = ProtectedMethodController.class;
@@ -444,63 +444,33 @@ void protectedMethodShouldNotThrowException() throws Exception {
 		assertThat(info.getPatternsCondition().getDirectPaths()).containsOnly("/protected");
 	}
 
-	@Test
-	void differentPackagePackagePrivateMethodShouldThrowException() throws Exception {
+	@Test  // gh-35352
+	void differentPackagePackagePrivateMethodOnCglibProxyShouldThrowException() throws Exception {
 		RequestMappingHandlerMapping mapping = new RequestMappingHandlerMapping();
 
-		Class<?> handlerType = ControllerWithPackagePrivateClass.class;
-		Method method = PackagePrivateController.class.getDeclaredMethod("packagePrivateMethod");
-
+		Class<?> handlerType = LocalPackagePrivateMethodControllerSubclass.class;
+		Class<?> declaringClass = PackagePrivateMethodController.class;
+		String methodName = "packagePrivateMethod";
+		Method method = declaringClass.getDeclaredMethod(methodName);
 		Class<?> proxyClass = createProxyClass(handlerType);
 
 		assertThatIllegalStateException()
 				.isThrownBy(() -> mapping.getMappingForMethod(method, proxyClass))
-				.withMessageContainingAll(
-						"Package-private method [packagePrivateMethod]",
-						"cannot be advised when used by handler class"
-				);
-	}
-
-	@Test
-	void differentPackageProtectedMethodShouldNotThrowException() throws Exception {
-		RequestMappingHandlerMapping mapping = new RequestMappingHandlerMapping();
-
-		Class<?> handlerType = ControllerWithProtectedClass.class;
-		Method method = ProtectedController.class.getDeclaredMethod("protectedMethod");
-
-		Class<?> proxyClass = createProxyClass(handlerType);
-
-		RequestMappingInfo info = mapping.getMappingForMethod(method, proxyClass);
-		assertThat(info.getPatternsCondition().getDirectPaths()).containsOnly("/protected");
+				.withMessage("""
+						Package-private method [%s] declared in class [%s] cannot be advised by \
+						CGLIB-proxied handler class [%s], because it is effectively private. Either \
+						make the method public or protected, or use interface-based JDK proxying instead.""",
+							methodName, declaringClass.getName(), proxyClass.getName());
 	}
 
 
-	private Class<?> createProxyClass(Class<?> targetClass) {
+	private static Class<?> createProxyClass(Class<?> targetClass) {
 		Enhancer enhancer = new Enhancer();
 		enhancer.setSuperclass(targetClass);
 		enhancer.setCallbackTypes(new Class[]{NoOp.class});
-
 		return enhancer.createClass();
 	}
 
-	@Controller
-	static class PrivateMethodController {
-		@RequestMapping("/private")
-		private void privateMethod() {}
-	}
-
-	@Controller
-	static class ProtectedMethodController {
-		@RequestMapping("/protected")
-		protected void protectedMethod() {}
-	}
-
-	@Controller
-	static class ControllerWithPackagePrivateClass extends PackagePrivateController { }
-
-	@Controller
-	static class ControllerWithProtectedClass extends ProtectedController { }
-
 	private RequestMappingInfo assertComposedAnnotationMapping(RequestMethod requestMethod) {
 		String methodName = requestMethod.name().toLowerCase();
 		String path = "/" + methodName;
@@ -705,4 +675,21 @@ public void post(@RequestBody(required = true) Foo foo) {}
 	@interface ExtraHttpExchange {
 	}
 
+	@Controller
+	static class PrivateMethodController {
+
+		@RequestMapping("/private")
+		private void privateMethod() {}
+	}
+
+	@Controller
+	static class ProtectedMethodController {
+
+		@RequestMapping("/protected")
+		protected void protectedMethod() {}
+	}
+
+	static class LocalPackagePrivateMethodControllerSubclass extends PackagePrivateMethodController {
+	}
+
 }
diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/RequestMappingHandlerMapping.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/mvc/method/annotation/RequestMappingHandlerMapping.java
@@ -187,11 +187,13 @@ protected boolean isHandler(Class<?> beanType) {
 	 * Uses type-level and method-level {@link RequestMapping @RequestMapping}
 	 * and {@link HttpExchange @HttpExchange} annotations to create the
 	 * {@link RequestMappingInfo}.
-	 * <p>For CGLIB proxy classes, additional validation is performed based on method visibility:
+	 * <p>For CGLIB proxy classes, additional validation is performed based on
+	 * method visibility:
 	 * <ul>
-	 * <li>Private methods cannot be overridden and therefore cannot be used as handler methods.</li>
-	 * <li>Package-private methods from different packages are inaccessible and must be
-	 * changed to public or protected.</li>
+	 * <li>Private methods cannot be overridden and therefore cannot be used as
+	 * handler methods.</li>
+	 * <li>Package-private methods from different packages are inaccessible and
+	 * must be changed to public or protected.</li>
 	 * </ul>
 	 * @return the created {@code RequestMappingInfo}, or {@code null} if the method
 	 * does not have a {@code @RequestMapping} or {@code @HttpExchange} annotation
@@ -219,38 +221,38 @@ protected boolean isHandler(Class<?> beanType) {
 		return info;
 	}
 
-	private void validateCglibProxyMethodVisibility(Method method, Class<?> handlerType) {
-		if (isCglibProxy(handlerType)) {
+	/**
+	 * Validate the method visibility requirements specified in {@link #getMappingForMethod(Method, Class)}.
+	 * @since 7.0
+	 */
+	private static void validateCglibProxyMethodVisibility(Method method, Class<?> handlerType) {
+		if (handlerType.getName().contains(ClassUtils.CGLIB_CLASS_SEPARATOR)) {
 			int modifiers = method.getModifiers();
 
 			if (Modifier.isPrivate(modifiers)) {
-				throw new IllegalStateException(
-						"Private method [" + method.getName() + "] on CGLIB proxy class [" + handlerType.getName() +
-								"] cannot be used as a request handler method because private methods cannot be overridden. " +
-								"Change the method to non-private visibility or use interface-based JDK proxying instead.");
+				throw new IllegalStateException("""
+						Private method [%s] on CGLIB proxy class [%s] cannot be used as a request \
+						handler method, because private methods cannot be overridden. \
+						Change the method to non-private visibility, or use interface-based JDK \
+						proxying instead.""".formatted(method.getName(), handlerType.getName()));
 			}
 
 			if (!Modifier.isPublic(modifiers) && !Modifier.isProtected(modifiers)) {
 				Class<?> declaringClass = method.getDeclaringClass();
-				Package methodPackage = declaringClass.getPackage();
-				Package handlerPackage = handlerType.getPackage();
-
-				if (!Objects.equals(methodPackage, handlerPackage)) {
-					throw new IllegalStateException(
-							"Package-private method [" + method.getName() + "] on CGLIB proxy class [" + declaringClass.getName() +
-									"] from package [" + methodPackage.getName() + "] cannot be advised when used by handler class [" +
-									handlerType.getName() + "] from package [" + handlerPackage.getName() + "] because it is effectively private. " +
-									"Either make the method public/protected or use interface-based JDK proxying instead.");
+				String declaringPackage = declaringClass.getPackage().getName();
+				String handlerPackage = handlerType.getPackage().getName();
+
+				if (!Objects.equals(declaringPackage, handlerPackage)) {
+					throw new IllegalStateException("""
+							Package-private method [%s] declared in class [%s] cannot be advised by \
+							CGLIB-proxied handler class [%s], because it is effectively private. Either \
+							make the method public or protected, or use interface-based JDK proxying instead."""
+								.formatted(method.getName(), declaringClass.getName(), handlerType.getName()));
 				}
 			}
 		}
 	}
 
-	private boolean isCglibProxy(Class<?> beanType) {
-		return beanType.getName().contains(ClassUtils.CGLIB_CLASS_SEPARATOR);
-	}
-
-
 	@Nullable String getPathPrefix(Class<?> handlerType) {
 		for (Map.Entry<String, Predicate<Class<?>>> entry : this.pathPrefixes.entrySet()) {
 			if (entry.getValue().test(handlerType)) {
diff --git a/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/annotation/RequestMappingHandlerMappingTests.java b/spring-webmvc/src/test/java/org/springframework/web/servlet/mvc/method/annotation/RequestMappingHandlerMappingTests.java
