5

I'm working with Spring AOP and I'd like to be able to define a pointcut which is triggered whenever a method inside of a package, whose name is defined in a properties file, is called. That is, my pointcut would look something like 

@Pointcut("within(${base.packageName}.*)")
public void MyPointCut() {}

and then if my config file had

base.packageName=foo.bar

then at runtime the pointcut would behave like this one

@Pointcut("within(foo.bar.*)")
public void MyPointCut() {}

I've tried several different things (e.g. using SpEL in the pointcut expression, configuring a class implementing the static pointcut interface) but nothing has worked.

Is there any way in spring to define a pointcut based on a value found in a configuration file?

rsmartin2011
  • 51
  • 2
  • 4

2 Answers2

3

This is not possible as the annotation value must be a compile time constant expression. So your pointcut cannot resolve ${} placeholder, as the placeholder resolution happens at runtime. See more here.

HelloWorld
  • 123
  • 1
  • 12
  • While the annotation parameters must be compile-time constants, nothing prevents a library from evaluating those parameters at runtime, like Spring does for `@Value` in the question you referenced. This would only be possible with runtime weaving, of course, but the reason you give does not prevent it. – Didier L Mar 20 '20 at 17:51
  • Can you elaborate more by providing an example that explains how to achieve the same? Thanks. – HelloWorld Apr 17 '20 at 06:59
1

The fact that you cannot do this, may be by design.

I'm going to posit something to you here and I'd like you to think about the ramifications.

You are asking to be able to dynamically define a value to an Aspect Oriented construct. You are placing it in an externally accessible source that is un-validated. If a hostile, think in terms of security here, were to alter the point cut and execute some other piece of code (possibly even arbitrary) would you consider that safe?

AOP, while extremely valuable, puts most security researchers on edge.

Dave G
  • 9,639
  • 36
  • 41
  • I understand the concern, however I have 2 questions: 1. A hostile could perhaps alter the value and arbitrarily define the pointcut however they couldn't execute another piece of code as the pointcut is still only calling the advice I've written? 2. Doesn't spring to some extent already do this? Isn't all externalized configuration subject to this concern? Regardless, thanks for your response, it's something I had not thought about. – rsmartin2011 Dec 10 '17 at 13:58
  • 1) True - think Denial of Service attack - if the point cut is changed to an expression that would be excessively intense that could result a potential attack vector. 2) Yes - but in some newer instances (spring-boot's configproperties) expressions in external configuration are restricted to property expansion. SpEL is not supported. – Dave G Dec 10 '17 at 15:39
  • I tried to upvote your comment but I don't think I have enough reputation (and I did upvote your answer it's just not visible). Very good information though. – rsmartin2011 Dec 10 '17 at 15:54