RoleHierarchy not automatically inject in overwritten MethodSecurityExpressionHandler bean #16307
Labels
in: config
An issue in spring-security-config
status: feedback-reminder
We've sent a reminder that we need additional information before we can continue
status: waiting-for-feedback
We need additional information before we can continue
If you manually define both a
RoleHierarchy
bean and aMethodSecurityExpressionHandler
, theRoleHierarchy
isn't injected in theMethodSecurityExpressionHandler
bean. As a result, the role hierarchy isn't applied when callinghasRole()
when securing a method with@PreAuthorize
.To Reproduce
RoleHierarchy
beanMethodSecurityExpressionHandler
. For example, by inheritingDefaultMethodSecurityExpressionHandler
.Expected behavior
The
RoleHierarchy
bean is injected in the manually definedMethodSecurityExpressionHandler
and can be used with@PreAuthorize
andhasRole()
Current behavior
When you launch the application the following happens in order:
PrePostMethodSecurityConfiguration
initializeexpressionHandler
with a manually createdDefaultMethodSecurityExpressionHandler
RoleHierarchy
bean is injected inPrePostMethodSecurityConfiguration
andexpressionHandler.setRoleHierarchy
is calledMethodSecurityExpressionHandler
. bean is injected inPrePostMethodSecurityConfiguration
and the configuration is adapted, but the methodsetRoleHierarchy
isn't called on the new bean.The text was updated successfully, but these errors were encountered: