DefaultWebSecurityExpressionHandler is always used

I have a spring-boot web application that declares some security through this class:

 @Configuration @EnableWebSecurity @Order(Ordered.LOWEST_PRECEDENCE - 50) // needs to be after SpringBootAuthenticationConfigurerAdapter to register default in memory user public class StorefrontSecurityConfig extends GlobalAuthenticationConfigurerAdapter { @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER - 1) @Configuration public static class MyStorefrontSecurityConfig extends WebSecurityConfigurerAdapter { ..... } 

and it all works fine. I also add these annotations to some of my service methods:

@PreAuthorize("hasPermission(#entity, 'APPROVE') or hasPermission(#entity, 'ADMINISTRATION') or hasRole('ROLE_ADMINGROUP')") void approve(final EntityModificationEntityDefinition entity); @PreAuthorize("hasPermission(#entity, 'APPROVE') or hasPermission(#entity, 'ADMINISTRATION') or hasRole('ROLE_ADMINGROUP')") void reject(final EntityModificationEntityDefinition entity); 

and for now they don't do much - which is perfectly fine. But now I create jar file with the following configuration:

@Configuration @EnableGlobalMethodSecurity(securedEnabled = true, jsr250Enabled = true, prePostEnabled = true) public class PersonalizationConfig extends GlobalMethodSecurityConfiguration { private final Logger LOG = LogManager.getLogger(getClass()); /* Global Method Security */ @Override public AccessDecisionManager accessDecisionManager() { final List<AccessDecisionVoter<? extends Object>> accessDecisionVoters = new ArrayList<>(); accessDecisionVoters.add(new RoleVoter()); accessDecisionVoters.add(new AuthenticatedVoter()); accessDecisionVoters.add(new PreInvocationAuthorizationAdviceVoter(preInvocationAuthorizationAdvice())); final UnanimousBased accessDecisionManager = new UnanimousBased(accessDecisionVoters); accessDecisionManager.setAllowIfAllAbstainDecisions(true); return accessDecisionManager; } @Override protected MethodSecurityExpressionHandler createExpressionHandler() { return this.defaultMethodSecurityExpressionHandler(); } 

This jar has a spring.factories file in META-INF so that being a spring-boot application the @Configuration is loaded. Now I expect when I include this jar in the classpath to have the @PreAuthorize annotations to start working. However what I see is that AbstractSecurityExpressionHandler is invoked and it calls the abstract method createSecurityExpressionRoot(authentication, invocation); which always goes to DefaultWebSecurityExpressionHandler and never to the DefaultMethodSecurityExpressionHandler. I can see the DefaultMethodSecurityExpressionHandler is constructed when my application starts, so I'm really not sure what happens here.

EDIT: Here's my spring.factories file: org.springframework.boot.autoconfigure.EnableAutoConfiguration=com.nemesis.platform.module.personalization.core.config.PersonalizationConfig

5

Related questions 4 How to auto-logout when session expire in java spring boot / spring security (HttpSecurity) 1 GraphQL SpringBoot Security Exception 2 Spring Boot Security not ignoring certian url via WebSecurity Related questions 4 How to auto-logout when session expire in java spring boot / spring security (HttpSecurity) 1 GraphQL SpringBoot Security Exception 2 Spring Boot Security not ignoring certian url via WebSecurity 19 Security configuration with Spring-boot 5 Customize Spring Security for trusted space 0 SM_USER for every requests from SIteminder (Static requests as well) 7 Spring Security OAuth2 Redirect Loop 9 Spring boot security consider case insensitive username check for login Load 5 more related questions Show fewer related questions

Reset to default

Know someone who can answer? Share a link to this question via email, Twitter, or Facebook.

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge that you have read and understand our privacy policy and code of conduct.

You Might Also Like