Description
In the current version of Spring Security (version 6.4), a changed behavior occurs when using the @AuthenticationPrincipal annotation on an interface. If the annotation is applied directly to the concrete implementation, everything works as expected and the UserDetails object is passed correctly. However, if the annotation is applied to an interface, the implementation receives a new or empty UserDetails object.
Reproduction of the problem:
The problem can be reproduced with the example project: K-e-l-v-i-n-12/spring-security
Steps to reproduce:
- Start the application.
- Call
http://localhost:8080/userByInterface(any username/password). The response is: Hello, null. - Call
http://localhost:8080/userByImplementation(any username/password). The response is: Hello, test.
Actual behaviour:
If @AuthenticationPrincipal is applied to an interface, the implementation receives an empty UserDetails object.
Expected behaviour:
The UserDetails object should be passed correctly even when an interface is used.
Proposed solution:
Extend support for @AuthenticationPrincipal to interfaces.