Expected Behavior
The expression handler that gets created per default in PrePostMethodSecurityConfiguration at
|
private final DefaultMethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler(); |
doesn't use the existing permission evaluator from the Spring context but keeps the default
DenyAllPermissionEvaluator.
Current Behavior
The expression handler should be setup in the PrePostMethodSecurityConfiguration with the existing permission evaluator like
@Autowired(required = false)
void setPermissionEvaluator(PermissionEvaluator permissionEvaluator) {
this.expressionHandler.setPermissionEvaluator(permissionEvaluator);
}
Context
I've switched from the @EnableGlobalMethodSecurity annotation to the @EnableMethodSecurity annotation and this caused the existing permission evaluator not to be applied to @PreAuthorize annotations for methods.
There is of course a way to fix that easily by defining a custom expression handler that utilizes the permission evaluator, but I would've expected that the old way of the @EnableGlobalMethodSecurity using the existing permission evaluator should also work with the new annotation without defining additional beans.
But maybe this was a conscious decision or I'm simply missing something.
Thanks in advance for taking a look.
Expected Behavior
The expression handler that gets created per default in
PrePostMethodSecurityConfigurationatspring-security/config/src/main/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfiguration.java
Line 63 in 74d646f
DenyAllPermissionEvaluator.Current Behavior
The expression handler should be setup in the
PrePostMethodSecurityConfigurationwith the existing permission evaluator likeContext
I've switched from the
@EnableGlobalMethodSecurityannotation to the@EnableMethodSecurityannotation and this caused the existing permission evaluator not to be applied to@PreAuthorizeannotations for methods.There is of course a way to fix that easily by defining a custom expression handler that utilizes the permission evaluator, but I would've expected that the old way of the
@EnableGlobalMethodSecurityusing the existing permission evaluator should also work with the new annotation without defining additional beans.But maybe this was a conscious decision or I'm simply missing something.
Thanks in advance for taking a look.