I have a spring-boot web application that declares some security through this class:
@Configuration @EnableWebSecurity @Order(Ordered.LOWEST_PRECEDENCE - 50) // needs to be after SpringBootAuthenticationConfigurerAdapter to register default in memory user public class StorefrontSecurityConfig extends GlobalAuthenticationConfigurerAdapter { @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER - 1) @Configuration public static class MyStorefrontSecurityConfig extends WebSecurityConfigurerAdapter { ..... } and it all works fine. I also add these annotations to some of my service methods:
@PreAuthorize("hasPermission(#entity, 'APPROVE') or hasPermission(#entity, 'ADMINISTRATION') or hasRole('ROLE_ADMINGROUP')") void approve(final EntityModificationEntityDefinition entity); @PreAuthorize("hasPermission(#entity, 'APPROVE') or hasPermission(#entity, 'ADMINISTRATION') or hasRole('ROLE_ADMINGROUP')") void reject(final EntityModificationEntityDefinition entity); and for now they don't do much - which is perfectly fine. But now I create jar file with the following configuration:
@Configuration @EnableGlobalMethodSecurity(securedEnabled = true, jsr250Enabled = true, prePostEnabled = true) public class PersonalizationConfig extends GlobalMethodSecurityConfiguration { private final Logger LOG = LogManager.getLogger(getClass()); /* Global Method Security */ @Override public AccessDecisionManager accessDecisionManager() { final List<AccessDecisionVoter<? extends Object>> accessDecisionVoters = new ArrayList<>(); accessDecisionVoters.add(new RoleVoter()); accessDecisionVoters.add(new AuthenticatedVoter()); accessDecisionVoters.add(new PreInvocationAuthorizationAdviceVoter(preInvocationAuthorizationAdvice())); final UnanimousBased accessDecisionManager = new UnanimousBased(accessDecisionVoters); accessDecisionManager.setAllowIfAllAbstainDecisions(true); return accessDecisionManager; } @Override protected MethodSecurityExpressionHandler createExpressionHandler() { return this.defaultMethodSecurityExpressionHandler(); } This jar has a spring.factories file in META-INF so that being a spring-boot application the @Configuration is loaded. Now I expect when I include this jar in the classpath to have the @PreAuthorize annotations to start working. However what I see is that AbstractSecurityExpressionHandler is invoked and it calls the abstract method createSecurityExpressionRoot(authentication, invocation); which always goes to DefaultWebSecurityExpressionHandler and never to the DefaultMethodSecurityExpressionHandler. I can see the DefaultMethodSecurityExpressionHandler is constructed when my application starts, so I'm really not sure what happens here.
EDIT: Here's my spring.factories file: org.springframework.boot.autoconfigure.EnableAutoConfiguration=com.nemesis.platform.module.personalization.core.config.PersonalizationConfig
Related questions 4 How to auto-logout when session expire in java spring boot / spring security (HttpSecurity) 1 GraphQL SpringBoot Security Exception 2 Spring Boot Security not ignoring certian url via WebSecurity Related questions 4 How to auto-logout when session expire in java spring boot / spring security (HttpSecurity) 1 GraphQL SpringBoot Security Exception 2 Spring Boot Security not ignoring certian url via WebSecurity 19 Security configuration with Spring-boot 5 Customize Spring Security for trusted space 0 SM_USER for every requests from SIteminder (Static requests as well) 7 Spring Security OAuth2 Redirect Loop 9 Spring boot security consider case insensitive username check for login Load 5 more related questions Show fewer related questions
Reset to default