Spring Security 6 combined with AspectJ weaving of spring-security-aspects executes PreAuthorize twice #13160
Comments
rolevinks
added
status: waiting-for-triage
|
Thanks for the report, @rolevinks. It appears this is due to the fact that the AOP Advisor bean is registered even when You can address this in your application for the moment by changing the annotation to: @EnableMethodSecurity(prePostEnabled = false, mode = ASPECTJ)And then publishing the following bean: @Bean
fun preAuthorizeAuthorizationMethodInterceptor(expressionHandler: MethodSecurityExpressionHandler): MethodInterceptor {
val authorizationManager = PreAuthorizeAuthorizationManager()
authorizationManager.setExpressionHandler(expressionHandler);
return AuthorizationManagerBeforeMethodInterceptor.preAuthorize(authorizationManager);
}The reason this works is because it is publishing the same bean as a To fix this passively in Spring Security may take a bit of research; however, I believe one way to address it is to publish a different configuration class when the advice mode is |
jzheaux
added
in: config
|
Hi Josh, Thanks for the quick reply, the workaround will do for now. |
Describe the bug
We just updated Spring Security to version 6 in our project , and replaced the @EnableGlobalMethodSecurity with @EnableMethodSecurity, both with adviceMode ASPECTJ. Furthermore, we have a @PostFilter on some getters in our entities, so we also use the aspectj maven plugin.
Previously, this worked perfectly, but since the upgrade, the permission checks on methods in components are executed twice instead of once.
To Reproduce
See attached project.
Expected behavior
Permission checks are executed once.
Sample
test.zip
The text was updated successfully, but these errors were encountered: