property permissionEvaluator of DefaultMethodSecurityExpressionHandler is always DenyAllPermissionEvaluator in child application context

[toughpheeckouse]

spring-security version 4.1.3.RELEASE

I have root application context and I created a new child context while initializing root context. Root context has configuration bean GlobalMethodSecurityConfiguration:

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class MethodSecurityConfiguration extends GlobalMethodSecurityConfiguration
{
... 
    @Bean
    public MutableAclService aclService()
...
    }

    @Bean
    public PermissionEvaluator permissionEvaluator(AclService aclService)
    {
        return new AclPermissionEvaluator(aclService);
    }
...
}

while root context initializing created a new child context

migrationContext = new AnnotationConfigApplicationContext();

            migrationContext.setParent(applicationContext);

in child context created beans which call some protected methods with PreAuthorize("hasPermission(...)") annotation but I always get AccessDeniedException because root context is in initializing method GlobalMethodSecurityConfiguration.afterSingletonsInstantiated is not called yet and expression evaluator uses default permission evaluator DenyAllPermissionEvaluator but expected to be used AclPermissionEvaluator.

Before changes in afterSingletonsInstantiated method GlobalMethodSecurityConfiguration configures defaultMethodExpressionHandler correct autowired permission evaluator (AclPermissionEvaluator).

How to correct configure GlobalMethodSecurityConfiguration before child context will be create?

[maurociancio]

Hi there, I'm facing the same issue. How did you solve it? Thanks!

[toughpheeckouse]

@maurociancio, GlobalMethodSecurityConfiguration has protected method createExpressionHandler. I've overrided it and set correct PermissionEvaluator:

@Override
    protected MethodSecurityExpressionHandler createExpressionHandler()
    {
        MethodSecurityExpressionHandler expressionHandler = super.createExpressionHandler();

        if (expressionHandler instanceof DefaultMethodSecurityExpressionHandler)
        {
            DefaultMethodSecurityExpressionHandler defaultMethodSecurityExpressionHandler
                = (DefaultMethodSecurityExpressionHandler)expressionHandler;

                defaultMethodSecurityExpressionHandler.setPermissionEvaluator(permissionEvaluator);
        }
        else
        {
            logger.warn("MethodSecurityExpressionHandler is not instance of DefaultMethodSecurityExpressionHandler.");
        }

        return expressionHandler;
    }

If you'll get more beautiful solution, share it please

[maurociancio]

yes! i've ended up using the same approach. Thanks for your reply!