When whitelisting methods, sometimes you want to whitelist specific implementation (say groovy.json.JsonBuilder.toString()) of a generic signature defined in the base type (java.lang.Object.toString() in this case.)

In other times, you want to whitelist all the method definitions that override an interface/class method. For example, another person might want to allow all java.lang.Object.toString() invocation regardless of the receiver type.

script-security plugin currently doesn't have means to do this in Whitelist. GroovyCallSiteSelector.method picks one Method instance and all the decision making happens on this single method call.

Preferably, the call site selection should find the actual method definition getting invoked, as well as methods in the super types that it overrides, so that Whitelist can make decisions by using them all.