Skip to content

PrePostMethodSecurityConfiguration ignores custom PermissionEvaluator #45675

New issue
New issue
Closed as not planned
Closed as not planned
PrePostMethodSecurityConfiguration ignores custom PermissionEvaluator#45675
Labels
for: external-projectFor an external project and not something we can fix
@aburmeis

Description

@aburmeis
aburmeis
opened on May 26, 2025

Problem:

I try to use a custom PermissionEvaluator in PreAuthorize- and PostAuthorize SpEL with the delegating hasPermission(). The bean is registered but not used, instead the default DenyAllPermissionEvaluator is still used.

Investigation:

Looking into the code I find the deprecated GlobalMethodSecurityConfiguration would configure a custom PermissionEvaluator bean (see afterSingletonsInstantiated()) but it is deprecated and no longer used by auto configuration and the new PrePostMethodSecurityConfiguration ignores the existence of such a bean.

Solution Idea:

final class PrePostMethodSecurityConfiguration {

	@Autowired(required = false)
	void setPermissionEvaluator(PermissionEvaluator permissionEvaluator) {
		this.expressionHandler.setPermissionEvaluator(permissionEvaluator);
	}
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    for: external-projectFor an external project and not something we can fix

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions