You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Context
I've switched from the @EnableGlobalMethodSecurity annotation to the @EnableMethodSecurity annotation and this caused the existing permission evaluator not to be applied to @PreAuthorize annotations for methods.
There is of course a way to fix that easily by defining a custom expression handler that utilizes the permission evaluator, but I would've expected that the old way of the @EnableGlobalMethodSecurity using the existing permission evaluator should also work with the new annotation without defining additional beans.
But maybe this was a conscious decision or I'm simply missing something.
Thanks in advance for taking a look.
The text was updated successfully, but these errors were encountered:
@GFriedrich, glad to hear you are using the new @EnableMethodSecurity.
It is intentional to try and keep things as simple as possible for the initial releases. Since this feature's absence doesn't create a security issue in the worst case (all evaluations are denied by default) and because it's quite simple to make the adjustment, it's a lower priority feature to add. Also, I don't want to add a feature just for the sake of making it easier to migrate.
That said, I think that it's reasonable to leave this ticket open and see if people vote for it as a desired feature.
In the meantime, I agree that the simplest way to use your PermissionEvaluator is to publish a @Bean like so:
@jzheaux: Thanks for checking and good to hear that I didn't miss anything. Maybe it is worth to mention it somewhere that there is at least this kind of difference when switching the annotations. Simply to make a migration path clear to everybody and not falling for the same issue over and over again.
Thanks for your time nevertheless. 🤝
Expected Behavior
The expression handler that gets created per default in
PrePostMethodSecurityConfiguration
atspring-security/config/src/main/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfiguration.java
Line 63 in 74d646f
DenyAllPermissionEvaluator
.Current Behavior
The expression handler should be setup in the
PrePostMethodSecurityConfiguration
with the existing permission evaluator likeContext
I've switched from the
@EnableGlobalMethodSecurity
annotation to the@EnableMethodSecurity
annotation and this caused the existing permission evaluator not to be applied to@PreAuthorize
annotations for methods.There is of course a way to fix that easily by defining a custom expression handler that utilizes the permission evaluator, but I would've expected that the old way of the
@EnableGlobalMethodSecurity
using the existing permission evaluator should also work with the new annotation without defining additional beans.But maybe this was a conscious decision or I'm simply missing something.
Thanks in advance for taking a look.
The text was updated successfully, but these errors were encountered: