Unable to secure path with id when @Preauthorize is used in repository

[gd08xxx]

I tried @PreAuthorize to secure the path for Speedboat and it does not work.

interface SpeedboatRepository : PagingAndSortingRepository<Speedboat, Int> {

    @PreAuthorize("hasRole('ADMIN')")
    override fun findById(id: Int): Optional<Speedboat>
}

Procedure:

GET locahost:8080/api/v1/speedboats/1 without authorization

Expected result: 401
Actual result: 200 with body

This is my security configuration

@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
class AppWebSecurityConfigurerAdapter(
    private val passwordEncoder: PasswordEncoder,
    private val appUserDetailsService: AppUserDetailsService,
    private val jwtConfiguration: JwtConfiguration,
    private val secretKey: SecretKey,
    private val repository: MemberRepository
) : WebSecurityConfigurerAdapter() {

    override fun configure(http: HttpSecurity) {
        http {
            csrf {
                disable()
            }
            sessionManagement {
                sessionCreationPolicy = SessionCreationPolicy.STATELESS
            }
            addFilterAt<UsernamePasswordAuthenticationFilter>(
                JwtUsernameAndPasswordAuthenticationFilter(
                    authenticationManager(),
                    jwtConfiguration,
                    secretKey,
                    repository
                )
            )
            addFilterAfter<JwtUsernameAndPasswordAuthenticationFilter>(JwtTokenVerifier(jwtConfiguration, secretKey))
            authorizeRequests {
                authorize(anyRequest, permitAll)
            }
        }
    }

    override fun configure(auth: AuthenticationManagerBuilder) {
        auth.authenticationProvider(daoAuthenticationProvider())
    }

    @Bean
    fun daoAuthenticationProvider() =
        DaoAuthenticationProvider().apply {
            setPasswordEncoder(passwordEncoder)
            setUserDetailsService(letsWakesurfUserDetailsService)
        }
}

[christophstrobl]

If you'd like us to spend some time investigating, please take the time to provide a complete minimal sample (something that we can unzip or git clone, build, and deploy) that reproduces the problem.

[odrotbohm]

I've just put an addendum to the security tests we have in place (see 388a043) to show that securing a findById(…) generally works. Not sure how Kotlin might actually play into this. If you want to debug it further, UnwrappingRepositoryInvokerFactory might be a good starting point, in particular the RepositoryInvoker the delegate calculates. I'd be interested to learn about the method you see invoked in invoker.invokeFindById(…) there. That should be the annotated method.

[spring-projects-issues]

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

[spring-projects-issues]

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.